github - ghsa-v4g2-cm5v-cxv7

GHSA-V4G2-CM5V-CXV7

Vulnerability from github – Published: 2024-06-05 13:30 – Updated: 2024-06-11 20:58

Summary

Digital products download without proper payment status check

Details

Impact

Digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn't succeed.

Patches

New versions for the Aimeos HTML client 2020-2024 are available

Severity ?

5.3 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2024.04.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-client-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2024.04.1"
            },
            {
              "fixed": "2024.04.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-client-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2023.04.1"
            },
            {
              "fixed": "2023.10.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-client-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2022.04.1"
            },
            {
              "fixed": "2022.10.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-client-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2021.04.1"
            },
            {
              "fixed": "2021.10.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-client-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2020.04.1"
            },
            {
              "fixed": "2020.10.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-37296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-05T13:30:55Z",
    "nvd_published_at": "2024-06-11T15:16:09Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nDigital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn\u0027t succeed.\n\n### Patches\nNew versions for the Aimeos HTML client 2020-2024 are available\n",
  "id": "GHSA-v4g2-cm5v-cxv7",
  "modified": "2024-06-11T20:58:10Z",
  "published": "2024-06-05T13:30:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-v4g2-cm5v-cxv7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37296"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-client-html/commit/12d8aad1a373bf9d350872501adec3e222164f83"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-client-html/commit/5a7249769142b3ce70959ab1fb70c7e7c251e214"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-client-html/commit/6460ffe8f4929d864164aa96c5b49eca5326d975"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-client-html/commit/7f01d2f4fbc67f5231fd84adeb835d28252b8409"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-client-html/commit/fc611ff9a57e421d0ad9d99346b561cea515c5f0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aimeos/ai-client-html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Digital products download without proper payment status check"
}

CVE-2024-37296 (GCVE-0-2024-37296)

Vulnerability from cvelistv5 – Published: 2024-06-11 14:43 – Updated: 2024-08-02 03:50

Summary

The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn't succeed. Versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5 fix this issue.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-841 - Improper Enforcement of Behavioral Workflow
CWE-862 - Missing Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/aimeos/ai-client-html/security…	x_refsource_CONFIRM
	https://github.com/aimeos/ai-client-html/commit/1…	x_refsource_MISC
	https://github.com/aimeos/ai-client-html/commit/5…	x_refsource_MISC
	https://github.com/aimeos/ai-client-html/commit/6…	x_refsource_MISC
	https://github.com/aimeos/ai-client-html/commit/7…	x_refsource_MISC
	https://github.com/aimeos/ai-client-html/commit/f…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	aimeos	ai-client-html	Affected: >= 2024.04.1, < 2024.04.5 Affected: >= 2023.04.1, < 2023.10.14 Affected: >= 2022.04.1, < 2022.10.12 Affected: >= 2021.04.1, < 2021.10.21 Affected: >= 2020.04.1, < 2020.10.27

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-37296",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-11T18:47:05.124830Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-11T18:47:35.742Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:50:56.097Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-v4g2-cm5v-cxv7",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-v4g2-cm5v-cxv7"
          },
          {
            "name": "https://github.com/aimeos/ai-client-html/commit/12d8aad1a373bf9d350872501adec3e222164f83",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aimeos/ai-client-html/commit/12d8aad1a373bf9d350872501adec3e222164f83"
          },
          {
            "name": "https://github.com/aimeos/ai-client-html/commit/5a7249769142b3ce70959ab1fb70c7e7c251e214",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aimeos/ai-client-html/commit/5a7249769142b3ce70959ab1fb70c7e7c251e214"
          },
          {
            "name": "https://github.com/aimeos/ai-client-html/commit/6460ffe8f4929d864164aa96c5b49eca5326d975",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aimeos/ai-client-html/commit/6460ffe8f4929d864164aa96c5b49eca5326d975"
          },
          {
            "name": "https://github.com/aimeos/ai-client-html/commit/7f01d2f4fbc67f5231fd84adeb835d28252b8409",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aimeos/ai-client-html/commit/7f01d2f4fbc67f5231fd84adeb835d28252b8409"
          },
          {
            "name": "https://github.com/aimeos/ai-client-html/commit/fc611ff9a57e421d0ad9d99346b561cea515c5f0",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aimeos/ai-client-html/commit/fc611ff9a57e421d0ad9d99346b561cea515c5f0"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ai-client-html",
          "vendor": "aimeos",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2024.04.1, \u003c 2024.04.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 2023.04.1, \u003c 2023.10.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 2022.04.1, \u003c 2022.10.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 2021.04.1, \u003c 2021.10.21"
            },
            {
              "status": "affected",
              "version": "\u003e= 2020.04.1, \u003c 2020.10.27"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn\u0027t succeed. Versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5 fix this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-841",
              "description": "CWE-841: Improper Enforcement of Behavioral Workflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-11T14:43:39.391Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-v4g2-cm5v-cxv7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-v4g2-cm5v-cxv7"
        },
        {
          "name": "https://github.com/aimeos/ai-client-html/commit/12d8aad1a373bf9d350872501adec3e222164f83",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aimeos/ai-client-html/commit/12d8aad1a373bf9d350872501adec3e222164f83"
        },
        {
          "name": "https://github.com/aimeos/ai-client-html/commit/5a7249769142b3ce70959ab1fb70c7e7c251e214",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aimeos/ai-client-html/commit/5a7249769142b3ce70959ab1fb70c7e7c251e214"
        },
        {
          "name": "https://github.com/aimeos/ai-client-html/commit/6460ffe8f4929d864164aa96c5b49eca5326d975",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aimeos/ai-client-html/commit/6460ffe8f4929d864164aa96c5b49eca5326d975"
        },
        {
          "name": "https://github.com/aimeos/ai-client-html/commit/7f01d2f4fbc67f5231fd84adeb835d28252b8409",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aimeos/ai-client-html/commit/7f01d2f4fbc67f5231fd84adeb835d28252b8409"
        },
        {
          "name": "https://github.com/aimeos/ai-client-html/commit/fc611ff9a57e421d0ad9d99346b561cea515c5f0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aimeos/ai-client-html/commit/fc611ff9a57e421d0ad9d99346b561cea515c5f0"
        }
      ],
      "source": {
        "advisory": "GHSA-v4g2-cm5v-cxv7",
        "discovery": "UNKNOWN"
      },
      "title": "Aimeos HTML client vulnerable to digital products download without proper payment status check"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-37296",
    "datePublished": "2024-06-11T14:43:39.391Z",
    "dateReserved": "2024-06-05T20:10:46.496Z",
    "dateUpdated": "2024-08-02T03:50:56.097Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted