E-commerce

In Magento versions before 20.10.1 a medium severity vulnerability CVE-2024-41676 was detected. This vulnerability allows attackers to view sensitive files in GitLab. To fix this problem, users should upgrade Magento to version 20.10.1 or higher. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-41676.

In all WooCommerce versions up to, and including 3.5.1 a medium severity vulnerability CVE-2024-6458 was detected. Attackers with basic access can change post titles without permission. This can also lead to harmful scripts being saved, which can affect admins who view these posts. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6458.

In Magento versions prior to 20.10.1 a medium severity vulnerability CVE-2024-41676 was detected. There is a security issue where admins can accidentally add harmful code in these settings: design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt. These settings allow text or image URLs but may unintentionally include dangerous code. This issue is fixed in version 20.10.1 and later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-41676.

In WooCommerce 8.8 a medium severity vulnerability CVE-2024-37297 was detected. Attackers can exploit links to add harmful code that steals browser data. The Sourcebuster.js library reads and improperly inserts URL content into forms. To address this issue, users should update WooCommerce to versions 8.8.5 or 8.9.3. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37297.

In PrestaShop version 8.1.5 a medium severity vulnerability CVE-2024-34717 was detected. A flaw in the invoice system lets anyone access private invoices by tweaking the URL with a random secure key. This risks data breaches and financial discrepancies. To address this issue, users should upgrade PrestaShop to versions 8.1.6. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-34717.

In PrestaShop version 8.1.5 a medium severity vulnerability CVE-2024-34717 was detected. This vulnerability allows any invoice to be downloaded anonymously by using a random secure_key in the URL. This issue is fixed in version 8.1.6, and no workarounds are known. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-34717.

In Vault a low severity vulnerability CVE-2024-5798 was detected. This vulnerability allows attackers to log in to the system with the wrong credentials. To address this issue, users need to update to Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9. For more details, visit https://www.cvedetails.com/cve/CVE-2024-5798/.

In WooCommerce version 5.0.4 a medium severity vulnerability CVE-2024-35748 was detected. This vulnerability allows attackers to get access without an authorization check. There is no solution yet. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-35748/.