CVE-2024-39398

HIGH

Adobe Commerce < 2.4.3 - Brute Force

Title source: rule

Description

Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to perform brute force attacks and potentially gain unauthorized access to accounts. Exploitation of this issue does not require user interaction, but attack complexity is high.

References (1)

[Vendor Advisory] https://helpx.adobe.com/security/products/magento/apsb24-61.html

Scores

CVSS v3 7.4

EPSS 0.0024

EPSS Percentile 46.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-307

Status published

Products (7)

adobe/commerce 2.4.4 (10 CPE variants)

adobe/commerce 2.4.5 (9 CPE variants)

adobe/commerce 2.4.6 (7 CPE variants)

adobe/commerce 2.4.7 (4 CPE variants)

adobe/commerce < 2.4.3

adobe/magento 2.4.4 (10 CPE variants)

adobe/magento 2.4.5 (9 CPE variants)

Published Aug 14, 2024

Tracked Since Feb 18, 2026