PT-2022-6404 · Adobe · Commerce
Published
2022-08-09
·
Updated
2024-03-06
·
CVE-2022-42344
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Adobe Commerce versions 2.4.3-p2 and earlier
Adobe Commerce versions 2.3.7-p3 and earlier
Adobe Commerce versions 2.4.4 and earlier
Description
The issue is related to insufficient input validation, allowing a remote attacker to potentially elevate their privileges. An authenticated attacker can exploit this to achieve information exposure and privilege escalation. The vulnerability can be triggered through an insecure direct object reference in the
V1/customers/me endpoint.Recommendations
For Adobe Commerce versions 2.4.3-p2 and earlier, update to a version that includes the fix for this issue.
For Adobe Commerce versions 2.3.7-p3 and earlier, update to a version that includes the fix for this issue.
For Adobe Commerce versions 2.4.4 and earlier, update to a version that includes the fix for this issue.
As a temporary workaround, consider restricting access to the
V1/customers/me endpoint to minimize the risk of exploitation.Fix
Incorrect Authorization
IDOR
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Commerce