E-commerce

In Prestashop v.8.1.7 and earlier a critical severity vulnerability CVE-2024-41651 was detected. It allows a remote attacker to run arbitrary code through the module upgrade feature. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-41651.

In WooCommerce versions before 3.5.1 a medium severity vulnerability CVE-2024-43128 was detected. This vulnerability allows an attacker to inject malicious code due to insufficient input validation. To fix this issue, users must upgrade to a version later than 3.5.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43128.

In Magento Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier, a high severity Server-Side Request Forgery (SSRF) vulnerability CVE-2024-34111 was detected. This vulnerability allows attackers to force the application to make arbitrary requests, potentially leading to arbitrary file system reads. Exploitation of this issue does not require user interaction. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-34111.

In Magento Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier, a high severity vulnerability CVE-2024-34108 was detected. This improper input validation vulnerability allows attackers to execute arbitrary code within the context of the current user. Although no user interaction is required for exploitation, admin privileges are needed, and the scope of the attack is changed. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-34108.

In Magento versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier, a critical severity vulnerability CVE-2024-34107 was detected. This vulnerability relates to improper access control and allows attackers to bypass security measures and view minor unauthorized information. Exploitation of this issue does not require user interaction. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-34107.

In Magento versions before 20.10.1 a medium severity vulnerability CVE-2024-41676 was detected. This vulnerability allows attackers to view sensitive files in GitLab. To fix this problem, users should upgrade Magento to version 20.10.1 or higher. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-41676.

In all WooCommerce versions up to, and including, 3.5.1, a medium severity vulnerability CVE-2024-6458 was detected. Attackers with basic access can change post titles without permission. This can also lead to harmful scripts being saved, which can affect admins who view these posts. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6458.

In Magento-lts a medium severity vulnerability CVE-2024-41676 was detected. There is a security issue where admins can accidentally add harmful code in these settings: design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt. These settings allow text or image URLs but may unintentionally include dangerous code. This issue is fixed in version 20.10.1 and later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-41676.

In WooCommerce 8.8 a medium severity vulnerability CVE-2024-37297 was detected. Attackers can exploit links to add harmful code that steals browser data. The Sourcebuster.js library reads and improperly inserts URL content into forms. Versions 8.8.5 and 8.9.3 fix this issue, or you can disable the Order Attribution feature as a temporary solution. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37297.