CVE-2024-39322

MEDIUM

Aimeos Ai-controller-frontend < 2020.10.13 - Incorrect Authorization

Title source: rule

Description

aimeos/ai-admin-jsonadm is the Aimeos e-commerce JSON API for administrative tasks. In versions prior to 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2, improper access control allows editors to remove admin group and locale configuration in the Aimeos backend. Versions 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2 contain a fix for the issue.

References (6)

Core 6

Core References

Third Party Advisory x_refsource_confirm

https://github.com/aimeos/ai-admin-jsonadm/security/advisories/GHSA-8fj2-587w-5whr

Patch x_refsource_misc

https://github.com/aimeos/ai-admin-jsonadm/commit/02a063fbd616d4e0a5aaf89f1642a856aa5ac5a5

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/aimeos/ai-admin-jsonadm/commit/16d013d0e28cecd19781f434d83fabebcc78cdc2

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/aimeos/ai-admin-jsonadm/commit/4c966e02bd52589c3c9382777cfe170eddf17b00

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/aimeos/ai-admin-jsonadm/commit/640954243ce85c2c303a00dd6481ed39b3d218fb

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/aimeos/ai-admin-jsonadm/commit/7d1c05e8368b0a6419820fe402deac9960500026

Scores

CVSS v3 5.5

EPSS 0.0012

EPSS Percentile 30.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (3)

aimeos/ai-admin-jsonadm 2024.04.1 - 2024.04.2Packagist

aimeos_project/ai-controller-frontend 2024.04.1

aimeos_project/ai-controller-frontend < 2020.10.13

Published Jul 02, 2024

Tracked Since Feb 18, 2026