CVE-2024-39406

MEDIUM

Adobe Commerce 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier - Authenticated Path Traversal and Arbitrary File Read

Title source: llm

Description

Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An admin attacker could exploit this vulnerability to gain access to files and directories that are outside the restricted directory. Exploitation of this issue does not require user interaction and scope is changed.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://helpx.adobe.com/security/products/magento/apsb24-61.html

Scores

CVSS v3 6.8

EPSS 0.0092

EPSS Percentile 76.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-22

Status published

Products (7)

adobe/commerce 2.4.4 (10 CPE variants)

adobe/commerce 2.4.5 (9 CPE variants)

adobe/commerce 2.4.6 (7 CPE variants)

adobe/commerce 2.4.7 (4 CPE variants)

adobe/commerce < 2.4.3

adobe/magento 2.4.4 (10 CPE variants)

adobe/magento 2.4.5 (9 CPE variants)

Published Aug 14, 2024

Tracked Since Feb 18, 2026