5.3
CVE-2024-39319
- EPSS 0.31%
- Published 26.09.2024 16:15:07
- Last modified 05.03.2025 14:53:25
- Source security-advisories@github.com
- Teams watchlist Login
- Open Login
aimeos/ai-controller-frontend is the Aimeos frontend controller package for e-commerce projects. Prior to versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, an insecure direct object reference allows an attacker to disable subscriptions and reviews of another customer. Versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15 fix this issue.
Data is provided by the National Vulnerability Database (NVD)
Aimeos ≫ Aimeos Frontend Controller Version < 2020.10.15
Aimeos ≫ Aimeos Frontend Controller Version >= 2021.04.1 < 2021.10.8
Aimeos ≫ Aimeos Frontend Controller Version >= 2022.04.1 < 2022.10.8
Aimeos ≫ Aimeos Frontend Controller Version >= 2023.04.1 < 2023.10.9
Aimeos ≫ Aimeos Frontend Controller Version2024.04.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.31% | 0.534 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.