CVE-2024-39397

CRITICAL

Adobe Commerce 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier - Unrestricted Upload of File with Dangerous Type

Title source: llm

Description

Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution by an attacker. An attacker could exploit this vulnerability by uploading a malicious file which can then be executed on the server. Exploitation of this issue does not require user interaction, but attack complexity is high and scope is changed.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://helpx.adobe.com/security/products/magento/apsb24-61.html

Scores

CVSS v3 9.0

EPSS 0.0110

EPSS Percentile 61.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (7)

adobe/commerce 2.4.4 (10 CPE variants)

adobe/commerce 2.4.5 (9 CPE variants)

adobe/commerce 2.4.6 (7 CPE variants)

adobe/commerce 2.4.7 (4 CPE variants)

adobe/commerce < 2.4.3

adobe/magento 2.4.4 (10 CPE variants)

adobe/magento 2.4.5 (9 CPE variants)

Published Aug 14, 2024

Tracked Since Feb 18, 2026