Search criteria
11 vulnerabilities by aimeos
CVE-2025-66468 (GCVE-0-2025-66468)
Vulnerability from cvelistv5 – Published: 2025-12-02 18:40 – Updated: 2025-12-02 19:25
VLAI?
Summary
The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8.
Severity ?
7.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-cms-grapesjs |
Affected:
>= 2021.04.1, < 2021.10.8
Affected: >= 2022.04.1, < 2022.10.9 Affected: >= 2023.04.1, < 2023.10.15 Affected: >= 2024.04.1, < 2024.10.8 Affected: >= 2025.04.1, < 2025.10.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66468",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T19:25:41.414590Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T19:25:50.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ai-cms-grapesjs",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "\u003e= 2021.04.1, \u003c 2021.10.8"
},
{
"status": "affected",
"version": "\u003e= 2022.04.1, \u003c 2022.10.9"
},
{
"status": "affected",
"version": "\u003e= 2023.04.1, \u003c 2023.10.15"
},
{
"status": "affected",
"version": "\u003e= 2024.04.1, \u003c 2024.10.8"
},
{
"status": "affected",
"version": "\u003e= 2025.04.1, \u003c 2025.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T18:40:44.081Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-cms-grapesjs/security/advisories/GHSA-424m-fj2q-g7vg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-cms-grapesjs/security/advisories/GHSA-424m-fj2q-g7vg"
},
{
"name": "https://github.com/aimeos/ai-cms-grapesjs/commit/2214f71ac27cdea25f11c8adf6bb5816db47a042",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-cms-grapesjs/commit/2214f71ac27cdea25f11c8adf6bb5816db47a042"
}
],
"source": {
"advisory": "GHSA-424m-fj2q-g7vg",
"discovery": "UNKNOWN"
},
"title": "Aimeos GrapesJS CMS extension possible stores XSS exploitable by authenticated editors"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66468",
"datePublished": "2025-12-02T18:40:44.081Z",
"dateReserved": "2025-12-02T15:43:16.585Z",
"dateUpdated": "2025-12-02T19:25:50.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47173 (GCVE-0-2024-47173)
Vulnerability from cvelistv5 – Published: 2024-10-24 18:54 – Updated: 2024-10-24 20:00
VLAI?
Summary
Aimeos is an e-commerce framework. All SaaS and marketplace setups using the Aimeos GraphQL API admin interface version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack. Version 2024.07.2 fixes the issue.
Severity ?
5.5 (Medium)
CWE
- CWE-270 - Privilege Context Switching Error
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-admin-graphql |
Affected:
>= 2024.04.1, < 2024.07.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47173",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T20:00:12.610334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T20:00:27.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ai-admin-graphql",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "\u003e= 2024.04.1, \u003c 2024.07.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Aimeos is an e-commerce framework. All SaaS and marketplace setups using the Aimeos GraphQL API admin interface version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack. Version 2024.07.2 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-270",
"description": "CWE-270: Privilege Context Switching Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T18:54:12.478Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-qxgx-hvg3-v92w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-qxgx-hvg3-v92w"
}
],
"source": {
"advisory": "GHSA-qxgx-hvg3-v92w",
"discovery": "UNKNOWN"
},
"title": "Aimeos GraphQL API admin interface denial of service vulnerability in SaaS and marketplace setups"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47173",
"datePublished": "2024-10-24T18:54:12.478Z",
"dateReserved": "2024-09-19T22:32:11.961Z",
"dateUpdated": "2024-10-24T20:00:27.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39319 (GCVE-0-2024-39319)
Vulnerability from cvelistv5 – Published: 2024-09-26 16:07 – Updated: 2024-09-26 18:24
VLAI?
Summary
aimeos/ai-controller-frontend is the Aimeos frontend controller package for e-commerce projects. Prior to versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, an insecure direct object reference allows an attacker to disable subscriptions and reviews of another customer. Versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15 fix this issue.
Severity ?
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-controller-frontend |
Affected:
= 2024.04.1
Affected: >= 2023.04.1, < 2023.10.9 Affected: >= 2022.04.1, < 2022.10.8 Affected: >= 2021.04.1, < 2021.10.8 Affected: < 2020.10.15 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:aimeos_project:ai-controller-frontend:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ai-controller-frontend",
"vendor": "aimeos_project",
"versions": [
{
"status": "affected",
"version": "2024.04.1"
},
{
"lessThan": "2023.10.9",
"status": "affected",
"version": "2023.04.1",
"versionType": "custom"
},
{
"lessThan": "2022.10.8",
"status": "affected",
"version": "2022.04.1",
"versionType": "custom"
},
{
"lessThan": "2021.10.8",
"status": "affected",
"version": "2021.04.1",
"versionType": "custom"
},
{
"lessThan": "2020.10.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39319",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T17:55:58.738464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T18:24:00.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ai-controller-frontend",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "= 2024.04.1"
},
{
"status": "affected",
"version": "\u003e= 2023.04.1, \u003c 2023.10.9"
},
{
"status": "affected",
"version": "\u003e= 2022.04.1, \u003c 2022.10.8"
},
{
"status": "affected",
"version": "\u003e= 2021.04.1, \u003c 2021.10.8"
},
{
"status": "affected",
"version": "\u003c 2020.10.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aimeos/ai-controller-frontend is the Aimeos frontend controller package for e-commerce projects. Prior to versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, an insecure direct object reference allows an attacker to disable subscriptions and reviews of another customer. Versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15 fix this issue."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T16:07:01.482Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-controller-frontend/security/advisories/GHSA-rw3j-574h-mrcq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-controller-frontend/security/advisories/GHSA-rw3j-574h-mrcq"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/2ad5c062a629af374da470a319914c321c9bfee2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/2ad5c062a629af374da470a319914c321c9bfee2"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/53eebdc51fae34440dfd768a7811c169c7779aa9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/53eebdc51fae34440dfd768a7811c169c7779aa9"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/5833db6d18a889b94dc036dfb84b6f5cca73fbac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/5833db6d18a889b94dc036dfb84b6f5cca73fbac"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/6ea6b82f5a1fc18c574cb6f97225930d139b14a5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/6ea6b82f5a1fc18c574cb6f97225930d139b14a5"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/700da5ea2b622724b68c8684346bf74ac3bbca9b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/700da5ea2b622724b68c8684346bf74ac3bbca9b"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/7c93139f86eff9ec26b117a8918e06ce6cc0000f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/7c93139f86eff9ec26b117a8918e06ce6cc0000f"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/ae7baa3f2fbf594c2c1e4b1aae83364a84b241a6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/ae7baa3f2fbf594c2c1e4b1aae83364a84b241a6"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/cd8c95aa4663f54bd66a69c5952f2e42405426f3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/cd8c95aa4663f54bd66a69c5952f2e42405426f3"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/d4eac06f3a25330c089d8be4397f2ab1936dd9bb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/d4eac06f3a25330c089d8be4397f2ab1936dd9bb"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/f7c6a9ce2a6f5a9ad4af31313508870a78398f85",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/f7c6a9ce2a6f5a9ad4af31313508870a78398f85"
}
],
"source": {
"advisory": "GHSA-rw3j-574h-mrcq",
"discovery": "UNKNOWN"
},
"title": "aimeos/ai-controller-frontend has IDOR vulnerability in account profile page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39319",
"datePublished": "2024-09-26T16:07:01.482Z",
"dateReserved": "2024-06-21T18:15:22.262Z",
"dateUpdated": "2024-09-26T18:24:00.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39325 (GCVE-0-2024-39325)
Vulnerability from cvelistv5 – Published: 2024-07-02 20:36 – Updated: 2024-08-02 04:19
VLAI?
Summary
aimeos/ai-controller-frontend is the Aimeos frontend controller. Prior to versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, aimeos/ai-controller-frontend doesn't reset the payment status of a user's basket after the user completes a purchase. Versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15 fix this issue.
Severity ?
5.3 (Medium)
CWE
- CWE-841 - Improper Enforcement of Behavioral Workflow
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-controller-frontend |
Affected:
= 2024.04.1
Affected: >= 2023.04.1, < 2023.10.9 Affected: >= 2022.04.1, < 2022.10.8 Affected: >= 2021.04.1, < 2021.10.8 Affected: < 2020.10.15 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39325",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T21:11:59.036836Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T21:12:10.982Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:19:20.638Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/aimeos/ai-controller-frontend/security/advisories/GHSA-m9gv-6p22-qgmj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-controller-frontend/security/advisories/GHSA-m9gv-6p22-qgmj"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/16b8837d2466e3665b3c826ce87934b01a847268",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/16b8837d2466e3665b3c826ce87934b01a847268"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/24a57001e56759d1582d2a0080fc1ca3ba328630",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/24a57001e56759d1582d2a0080fc1ca3ba328630"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/28549808e0f6432a34cd3fb95556deeb86ca276d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/28549808e0f6432a34cd3fb95556deeb86ca276d"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/b1960c0b6e5ee93111a5360c9ce949b3e7528cf7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/b1960c0b6e5ee93111a5360c9ce949b3e7528cf7"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/dafa072783bb692f111ed092d9d2932c113eb855",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/dafa072783bb692f111ed092d9d2932c113eb855"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ai-controller-frontend",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "= 2024.04.1"
},
{
"status": "affected",
"version": "\u003e= 2023.04.1, \u003c 2023.10.9"
},
{
"status": "affected",
"version": "\u003e= 2022.04.1, \u003c 2022.10.8"
},
{
"status": "affected",
"version": "\u003e= 2021.04.1, \u003c 2021.10.8"
},
{
"status": "affected",
"version": "\u003c 2020.10.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aimeos/ai-controller-frontend is the Aimeos frontend controller. Prior to versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, aimeos/ai-controller-frontend doesn\u0027t reset the payment status of a user\u0027s basket after the user completes a purchase. Versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15 fix this issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841: Improper Enforcement of Behavioral Workflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T20:36:58.336Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-controller-frontend/security/advisories/GHSA-m9gv-6p22-qgmj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-controller-frontend/security/advisories/GHSA-m9gv-6p22-qgmj"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/16b8837d2466e3665b3c826ce87934b01a847268",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/16b8837d2466e3665b3c826ce87934b01a847268"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/24a57001e56759d1582d2a0080fc1ca3ba328630",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/24a57001e56759d1582d2a0080fc1ca3ba328630"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/28549808e0f6432a34cd3fb95556deeb86ca276d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/28549808e0f6432a34cd3fb95556deeb86ca276d"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/b1960c0b6e5ee93111a5360c9ce949b3e7528cf7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/b1960c0b6e5ee93111a5360c9ce949b3e7528cf7"
},
{
"name": "https://github.com/aimeos/ai-controller-frontend/commit/dafa072783bb692f111ed092d9d2932c113eb855",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-controller-frontend/commit/dafa072783bb692f111ed092d9d2932c113eb855"
}
],
"source": {
"advisory": "GHSA-m9gv-6p22-qgmj",
"discovery": "UNKNOWN"
},
"title": "aimeos/ai-controller-frontend doesn\u0027t reset payment status in basket"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39325",
"datePublished": "2024-07-02T20:36:58.336Z",
"dateReserved": "2024-06-21T18:15:22.264Z",
"dateUpdated": "2024-08-02T04:19:20.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39322 (GCVE-0-2024-39322)
Vulnerability from cvelistv5 – Published: 2024-07-02 20:19 – Updated: 2024-08-02 04:19
VLAI?
Summary
aimeos/ai-admin-jsonadm is the Aimeos e-commerce JSON API for administrative tasks. In versions prior to 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2, improper access control allows editors to remove admin group and locale configuration in the Aimeos backend. Versions 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2 contain a fix for the issue.
Severity ?
5.5 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-admin-jsonadm |
Affected:
= 2024.04.1
Affected: >= 2023.04.1, < 2023.10.4 Affected: >= 2022.04.1, < 2022.10.3 Affected: >= 2021.04.1, < 2021.10.6 Affected: < 2020.10.13 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T17:28:44.384787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T20:29:20.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:19:20.705Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-jsonadm/security/advisories/GHSA-8fj2-587w-5whr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-jsonadm/security/advisories/GHSA-8fj2-587w-5whr"
},
{
"name": "https://github.com/aimeos/ai-admin-jsonadm/commit/02a063fbd616d4e0a5aaf89f1642a856aa5ac5a5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-jsonadm/commit/02a063fbd616d4e0a5aaf89f1642a856aa5ac5a5"
},
{
"name": "https://github.com/aimeos/ai-admin-jsonadm/commit/16d013d0e28cecd19781f434d83fabebcc78cdc2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-jsonadm/commit/16d013d0e28cecd19781f434d83fabebcc78cdc2"
},
{
"name": "https://github.com/aimeos/ai-admin-jsonadm/commit/4c966e02bd52589c3c9382777cfe170eddf17b00",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-jsonadm/commit/4c966e02bd52589c3c9382777cfe170eddf17b00"
},
{
"name": "https://github.com/aimeos/ai-admin-jsonadm/commit/640954243ce85c2c303a00dd6481ed39b3d218fb",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-jsonadm/commit/640954243ce85c2c303a00dd6481ed39b3d218fb"
},
{
"name": "https://github.com/aimeos/ai-admin-jsonadm/commit/7d1c05e8368b0a6419820fe402deac9960500026",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-jsonadm/commit/7d1c05e8368b0a6419820fe402deac9960500026"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ai-admin-jsonadm",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "= 2024.04.1"
},
{
"status": "affected",
"version": "\u003e= 2023.04.1, \u003c 2023.10.4"
},
{
"status": "affected",
"version": "\u003e= 2022.04.1, \u003c 2022.10.3"
},
{
"status": "affected",
"version": "\u003e= 2021.04.1, \u003c 2021.10.6"
},
{
"status": "affected",
"version": "\u003c 2020.10.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aimeos/ai-admin-jsonadm is the Aimeos e-commerce JSON API for administrative tasks. In versions prior to 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2, improper access control allows editors to remove admin group and locale configuration in the Aimeos backend. Versions 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2 contain a fix for the issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T20:19:01.919Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-jsonadm/security/advisories/GHSA-8fj2-587w-5whr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-admin-jsonadm/security/advisories/GHSA-8fj2-587w-5whr"
},
{
"name": "https://github.com/aimeos/ai-admin-jsonadm/commit/02a063fbd616d4e0a5aaf89f1642a856aa5ac5a5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-jsonadm/commit/02a063fbd616d4e0a5aaf89f1642a856aa5ac5a5"
},
{
"name": "https://github.com/aimeos/ai-admin-jsonadm/commit/16d013d0e28cecd19781f434d83fabebcc78cdc2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-jsonadm/commit/16d013d0e28cecd19781f434d83fabebcc78cdc2"
},
{
"name": "https://github.com/aimeos/ai-admin-jsonadm/commit/4c966e02bd52589c3c9382777cfe170eddf17b00",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-jsonadm/commit/4c966e02bd52589c3c9382777cfe170eddf17b00"
},
{
"name": "https://github.com/aimeos/ai-admin-jsonadm/commit/640954243ce85c2c303a00dd6481ed39b3d218fb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-jsonadm/commit/640954243ce85c2c303a00dd6481ed39b3d218fb"
},
{
"name": "https://github.com/aimeos/ai-admin-jsonadm/commit/7d1c05e8368b0a6419820fe402deac9960500026",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-jsonadm/commit/7d1c05e8368b0a6419820fe402deac9960500026"
}
],
"source": {
"advisory": "GHSA-8fj2-587w-5whr",
"discovery": "UNKNOWN"
},
"title": "aimeos/ai-admin-jsonadm improper access control vulnerability allows editors to remove required records"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39322",
"datePublished": "2024-07-02T20:19:01.919Z",
"dateReserved": "2024-06-21T18:15:22.263Z",
"dateUpdated": "2024-08-02T04:19:20.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39324 (GCVE-0-2024-39324)
Vulnerability from cvelistv5 – Published: 2024-07-02 20:09 – Updated: 2024-08-02 04:19
VLAI?
Summary
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-admin-graphql |
Affected:
>= 2022.04.1, < 2022.10.10
Affected: >= 2023.04.1, < 2023.10.6 Affected: = 2024.04.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T15:21:05.566787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T15:21:12.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:19:20.752Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ai-admin-graphql",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "\u003e= 2022.04.1, \u003c 2022.10.10"
},
{
"status": "affected",
"version": "\u003e= 2023.04.1, \u003c 2023.10.6"
},
{
"status": "affected",
"version": "= 2024.04.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn\u0027t allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T20:09:22.872Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3"
}
],
"source": {
"advisory": "GHSA-jj68-cp4v-98qf",
"discovery": "UNKNOWN"
},
"title": "aimeos/ai-admin-graphql improper access control vulnerability allows editors to manage own services"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39324",
"datePublished": "2024-07-02T20:09:22.872Z",
"dateReserved": "2024-06-21T18:15:22.263Z",
"dateUpdated": "2024-08-02T04:19:20.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39323 (GCVE-0-2024-39323)
Vulnerability from cvelistv5 – Published: 2024-07-02 16:03 – Updated: 2024-08-02 04:19
VLAI?
Summary
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-admin-graphql |
Affected:
>= 2022.04.1, < 2022.10.10
Affected: >= 2023.04.1, < 2023.10.6 Affected: >= 2024.04.1, < 2024.04.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39323",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T18:03:14.407678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T18:04:26.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:19:20.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-vc7j-99jw-jrqm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-vc7j-99jw-jrqm"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/2d89d98cdcad880a9244b50736b08c1a171379ca",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/2d89d98cdcad880a9244b50736b08c1a171379ca"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/54d6b7cf4530cb3b95f52775c24056c48e6d26e9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/54d6b7cf4530cb3b95f52775c24056c48e6d26e9"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/787028de0a3ecbf3e9f63ab1454eac99ce7693a9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/787028de0a3ecbf3e9f63ab1454eac99ce7693a9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ai-admin-graphql",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "\u003e= 2022.04.1, \u003c 2022.10.10"
},
{
"status": "affected",
"version": "\u003e= 2023.04.1, \u003c 2023.10.6"
},
{
"status": "affected",
"version": "\u003e= 2024.04.1, \u003c 2024.04.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T16:03:03.253Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-vc7j-99jw-jrqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-vc7j-99jw-jrqm"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/2d89d98cdcad880a9244b50736b08c1a171379ca",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/2d89d98cdcad880a9244b50736b08c1a171379ca"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/54d6b7cf4530cb3b95f52775c24056c48e6d26e9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/54d6b7cf4530cb3b95f52775c24056c48e6d26e9"
},
{
"name": "https://github.com/aimeos/ai-admin-graphql/commit/787028de0a3ecbf3e9f63ab1454eac99ce7693a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-admin-graphql/commit/787028de0a3ecbf3e9f63ab1454eac99ce7693a9"
}
],
"source": {
"advisory": "GHSA-vc7j-99jw-jrqm",
"discovery": "UNKNOWN"
},
"title": "aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39323",
"datePublished": "2024-07-02T16:03:03.253Z",
"dateReserved": "2024-06-21T18:15:22.263Z",
"dateUpdated": "2024-08-02T04:19:20.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38516 (GCVE-0-2024-38516)
Vulnerability from cvelistv5 – Published: 2024-06-25 20:08 – Updated: 2024-08-02 04:12
VLAI?
Summary
ai-client-html is an Aimeos e-commerce HTML client component. Debug information revealed sensitive information from environment variables in error log. This issue has been patched in versions 2024.04.7, 2023.10.15, 2022.10.13 and 2021.10.22.
Severity ?
8.8 (High)
CWE
- CWE-1295 - Debug Messages Revealing Unnecessary Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-client-html |
Affected:
>= 2024.04.1, < 2024.04.7
Affected: >= 2023.04.1, < 2023.10.15 Affected: >= 2022.04.1, < 2022.10.13 Affected: >= 2021.10.1, < 2021.10.22 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38516",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T15:31:50.282028Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T15:31:57.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:25.172Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-ppm5-jv84-2xg2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-ppm5-jv84-2xg2"
},
{
"name": "https://github.com/aimeos/ai-client-html/commit/bb389620ffc3cf4a2f29c11a1e5f512049e0c132",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-client-html/commit/bb389620ffc3cf4a2f29c11a1e5f512049e0c132"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ai-client-html",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "\u003e= 2024.04.1, \u003c 2024.04.7"
},
{
"status": "affected",
"version": "\u003e= 2023.04.1, \u003c 2023.10.15"
},
{
"status": "affected",
"version": "\u003e= 2022.04.1, \u003c 2022.10.13"
},
{
"status": "affected",
"version": "\u003e= 2021.10.1, \u003c 2021.10.22"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ai-client-html is an Aimeos e-commerce HTML client component. Debug information revealed sensitive information from environment variables in error log. This issue has been patched in versions 2024.04.7, 2023.10.15, 2022.10.13 and 2021.10.22."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1295",
"description": "CWE-1295: Debug Messages Revealing Unnecessary Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T20:08:50.779Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-ppm5-jv84-2xg2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-ppm5-jv84-2xg2"
},
{
"name": "https://github.com/aimeos/ai-client-html/commit/bb389620ffc3cf4a2f29c11a1e5f512049e0c132",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-client-html/commit/bb389620ffc3cf4a2f29c11a1e5f512049e0c132"
}
],
"source": {
"advisory": "GHSA-ppm5-jv84-2xg2",
"discovery": "UNKNOWN"
},
"title": "Aimeos HTML client may potentially reveal sensitive information in error log"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38516",
"datePublished": "2024-06-25T20:08:50.779Z",
"dateReserved": "2024-06-18T16:37:02.727Z",
"dateUpdated": "2024-08-02T04:12:25.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37296 (GCVE-0-2024-37296)
Vulnerability from cvelistv5 – Published: 2024-06-11 14:43 – Updated: 2024-08-02 03:50
VLAI?
Summary
The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn't succeed. Versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5 fix this issue.
Severity ?
5.3 (Medium)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | ai-client-html |
Affected:
>= 2024.04.1, < 2024.04.5
Affected: >= 2023.04.1, < 2023.10.14 Affected: >= 2022.04.1, < 2022.10.12 Affected: >= 2021.04.1, < 2021.10.21 Affected: >= 2020.04.1, < 2020.10.27 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37296",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T18:47:05.124830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T18:47:35.742Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:56.097Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-v4g2-cm5v-cxv7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-v4g2-cm5v-cxv7"
},
{
"name": "https://github.com/aimeos/ai-client-html/commit/12d8aad1a373bf9d350872501adec3e222164f83",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-client-html/commit/12d8aad1a373bf9d350872501adec3e222164f83"
},
{
"name": "https://github.com/aimeos/ai-client-html/commit/5a7249769142b3ce70959ab1fb70c7e7c251e214",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-client-html/commit/5a7249769142b3ce70959ab1fb70c7e7c251e214"
},
{
"name": "https://github.com/aimeos/ai-client-html/commit/6460ffe8f4929d864164aa96c5b49eca5326d975",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-client-html/commit/6460ffe8f4929d864164aa96c5b49eca5326d975"
},
{
"name": "https://github.com/aimeos/ai-client-html/commit/7f01d2f4fbc67f5231fd84adeb835d28252b8409",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-client-html/commit/7f01d2f4fbc67f5231fd84adeb835d28252b8409"
},
{
"name": "https://github.com/aimeos/ai-client-html/commit/fc611ff9a57e421d0ad9d99346b561cea515c5f0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/aimeos/ai-client-html/commit/fc611ff9a57e421d0ad9d99346b561cea515c5f0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ai-client-html",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "\u003e= 2024.04.1, \u003c 2024.04.5"
},
{
"status": "affected",
"version": "\u003e= 2023.04.1, \u003c 2023.10.14"
},
{
"status": "affected",
"version": "\u003e= 2022.04.1, \u003c 2022.10.12"
},
{
"status": "affected",
"version": "\u003e= 2021.04.1, \u003c 2021.10.21"
},
{
"status": "affected",
"version": "\u003e= 2020.04.1, \u003c 2020.10.27"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn\u0027t succeed. Versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5 fix this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841: Improper Enforcement of Behavioral Workflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T14:43:39.391Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-v4g2-cm5v-cxv7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-v4g2-cm5v-cxv7"
},
{
"name": "https://github.com/aimeos/ai-client-html/commit/12d8aad1a373bf9d350872501adec3e222164f83",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-client-html/commit/12d8aad1a373bf9d350872501adec3e222164f83"
},
{
"name": "https://github.com/aimeos/ai-client-html/commit/5a7249769142b3ce70959ab1fb70c7e7c251e214",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-client-html/commit/5a7249769142b3ce70959ab1fb70c7e7c251e214"
},
{
"name": "https://github.com/aimeos/ai-client-html/commit/6460ffe8f4929d864164aa96c5b49eca5326d975",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-client-html/commit/6460ffe8f4929d864164aa96c5b49eca5326d975"
},
{
"name": "https://github.com/aimeos/ai-client-html/commit/7f01d2f4fbc67f5231fd84adeb835d28252b8409",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-client-html/commit/7f01d2f4fbc67f5231fd84adeb835d28252b8409"
},
{
"name": "https://github.com/aimeos/ai-client-html/commit/fc611ff9a57e421d0ad9d99346b561cea515c5f0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aimeos/ai-client-html/commit/fc611ff9a57e421d0ad9d99346b561cea515c5f0"
}
],
"source": {
"advisory": "GHSA-v4g2-cm5v-cxv7",
"discovery": "UNKNOWN"
},
"title": "Aimeos HTML client vulnerable to digital products download without proper payment status check"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37296",
"datePublished": "2024-06-11T14:43:39.391Z",
"dateReserved": "2024-06-05T20:10:46.496Z",
"dateUpdated": "2024-08-02T03:50:56.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37295 (GCVE-0-2024-37295)
Vulnerability from cvelistv5 – Published: 2024-06-11 14:38 – Updated: 2024-08-02 03:50
VLAI?
Summary
Aimeos is an Open Source e-commerce framework for online shops. Starting in version 2024.01.1 and prior to version 2024.04.5, a user with administrative privileges can upload files that look like images but contain PHP code which can then be executed in the context of the web server. Version 2024.04.5 fixes the issue.
Severity ?
7.2 (High)
CWE
- CWE-73 - External Control of File Name or Path
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | aimeos-core |
Affected:
>= 2024.04.1, < 2024.04.5
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:aimeos:aimeos-core:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "aimeos-core",
"vendor": "aimeos",
"versions": [
{
"lessThan": "2024.04.5",
"status": "affected",
"version": "2024.01.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37295",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T17:22:47.879934Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T17:22:52.398Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:56.094Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/aimeos/aimeos-core/security/advisories/GHSA-rhc2-23c2-ww7c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aimeos/aimeos-core/security/advisories/GHSA-rhc2-23c2-ww7c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "aimeos-core",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "\u003e= 2024.04.1, \u003c 2024.04.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Aimeos is an Open Source e-commerce framework for online shops. Starting in version 2024.01.1 and prior to version 2024.04.5, a user with administrative privileges can upload files that look like images but contain PHP code which can then be executed in the context of the web server. Version 2024.04.5 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73: External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T14:38:17.416Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/aimeos-core/security/advisories/GHSA-rhc2-23c2-ww7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/aimeos-core/security/advisories/GHSA-rhc2-23c2-ww7c"
}
],
"source": {
"advisory": "GHSA-rhc2-23c2-ww7c",
"discovery": "UNKNOWN"
},
"title": "Aimeos Core remote code execution in web server context"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37295",
"datePublished": "2024-06-11T14:38:17.416Z",
"dateReserved": "2024-06-05T20:10:46.496Z",
"dateUpdated": "2024-08-02T03:50:56.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37294 (GCVE-0-2024-37294)
Vulnerability from cvelistv5 – Published: 2024-06-11 14:16 – Updated: 2024-08-02 03:50
VLAI?
Summary
Aimeos is an Open Source e-commerce framework for online shops. All SaaS and marketplace setups using Aimeos version from 2022/2023/2024 are affected by a potential denial of service attack. Users should upgrade to versions 2022.10.17, 2023.10.17, or 2024.04 of the aimeos/aimeos-core package to receive a patch.
Severity ?
5.5 (Medium)
CWE
- CWE-270 - Privilege Context Switching Error
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| aimeos | aimeos-core |
Affected:
>= 2024.04.1, < 2024.04.7
Affected: >= 2023.04.1, < 2023.10.17 Affected: >= 2022.04.1, < 2022.10.17 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:aimeos:aimeos-core:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "aimeos-core",
"vendor": "aimeos",
"versions": [
{
"lessThan": "2024.04.7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2023.10.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2022.10.17",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37294",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T17:07:16.523748Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T17:10:16.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.957Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/aimeos/aimeos-core/security/advisories/GHSA-xjm6-jfmg-qc6p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aimeos/aimeos-core/security/advisories/GHSA-xjm6-jfmg-qc6p"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "aimeos-core",
"vendor": "aimeos",
"versions": [
{
"status": "affected",
"version": "\u003e= 2024.04.1, \u003c 2024.04.7"
},
{
"status": "affected",
"version": "\u003e= 2023.04.1, \u003c 2023.10.17"
},
{
"status": "affected",
"version": "\u003e= 2022.04.1, \u003c 2022.10.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Aimeos is an Open Source e-commerce framework for online shops. All SaaS and marketplace setups using Aimeos version from 2022/2023/2024 are affected by a potential denial of service attack. Users should upgrade to versions 2022.10.17, 2023.10.17, or 2024.04 of the aimeos/aimeos-core package to receive a patch.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-270",
"description": "CWE-270: Privilege Context Switching Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T14:16:29.756Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aimeos/aimeos-core/security/advisories/GHSA-xjm6-jfmg-qc6p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aimeos/aimeos-core/security/advisories/GHSA-xjm6-jfmg-qc6p"
}
],
"source": {
"advisory": "GHSA-xjm6-jfmg-qc6p",
"discovery": "UNKNOWN"
},
"title": "Aimeos denial of service vulnerability in SaaS and marketplace setups"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37294",
"datePublished": "2024-06-11T14:16:29.756Z",
"dateReserved": "2024-06-05T20:10:46.496Z",
"dateUpdated": "2024-08-02T03:50:55.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}