In Magento Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier a high severity vulnerability CVE-2024-34108 was detected. This improper input validation vulnerability allows attackers to execute arbitrary code within the context of the current user. Although no user interaction is required for exploitation, admin privileges are needed, and the scope of the attack is changed. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-34108.
Read more E-commerceIn Magento versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier a critical severity vulnerability CVE-2024-34107 was detected. This vulnerability relates to improper access control and allows attackers to bypass security measures and view minor unauthorized information. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-34107.
Read more E-commerceIn Magento versions before 20.10.1 a medium severity vulnerability CVE-2024-41676 was detected. This vulnerability allows attackers to view sensitive files in GitLab. To fix this problem, users should upgrade Magento to version 20.10.1 or higher. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-41676.
Read more E-commerceIn all WooCommerce versions up to, and including 3.5.1 a medium severity vulnerability CVE-2024-6458 was detected. Attackers with basic access can change post titles without permission. This can also lead to harmful scripts being saved, which can affect admins who view these posts. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6458.
Read more E-commerceIn Magento versions prior to 20.10.1 a medium severity vulnerability CVE-2024-41676 was detected. There is a security issue where admins can accidentally add harmful code in these settings: design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt. These settings allow text or image URLs but may unintentionally include dangerous code. This issue is fixed in version 20.10.1 and later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-41676.
Read more E-commerceIn WooCommerce 8.8 a medium severity vulnerability CVE-2024-37297 was detected. Attackers can exploit links to add harmful code that steals browser data. The Sourcebuster.js library reads and improperly inserts URL content into forms. To address this issue, users should update WooCommerce to versions 8.8.5 or 8.9.3. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37297.
Read more E-commerceIn PrestaShop version 8.1.5 a medium severity vulnerability CVE-2024-34717 was detected. A flaw in the invoice system lets anyone access private invoices by tweaking the URL with a random secure key. This risks data breaches and financial discrepancies. To address this issue, users should upgrade PrestaShop to versions 8.1.6. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-34717.
Read more E-commerceIn PrestaShop version 8.1.5 a medium severity vulnerability CVE-2024-34717 was detected. This vulnerability allows any invoice to be downloaded anonymously by using a random secure_key in the URL. This issue is fixed in version 8.1.6, and no workarounds are known. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-34717.
Read more E-commerceIn Vault a low severity vulnerability CVE-2024-5798 was detected. This vulnerability allows attackers to log in to the system with the wrong credentials. To address this issue, users need to update to Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9. For more details, visit https://www.cvedetails.com/cve/CVE-2024-5798/.
Read more E-commerce