CVE-2025-24436 – magento/community-edition

Package

Manager: composer
Name: magento/community-edition
Vulnerable Version: >=2.4.7-beta1 <2.4.7-p4 || >=2.4.6-p1 <2.4.6-p9 || >=2.4.5-p1 <2.4.5-p11 || >=0 <2.4.4-p12 || =2.4.7 || =2.4.6 || =2.4.5 || =2.4.4 || =2.4.8-beta1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0005 pctl0.15323

Details

Magento Improper Access Control vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.

Metadata

Created: 2025-02-11T18:31:42Z
Modified: 2025-02-28T02:45:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-ghpr-6qhr-rpp8/GHSA-ghpr-6qhr-rpp8.json
CWE IDs: ["CWE-284", "CWE-863"]
Alternative ID: GHSA-ghpr-6qhr-rpp8
Finding: F039
Auto approve: 1