#VU95942 Arbitrary file upload in Adobe Commerce (formerly Magento Commerce) and Magento Open Source - CVE-2024-39397
Published: August 13, 2024
Vulnerability identifier: #VU95942
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red
CVE-ID: CVE-2024-39397
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Adobe Commerce (formerly Magento Commerce)
Magento Open Source
Adobe Commerce (formerly Magento Commerce)
Magento Open Source
Software vendor:
Adobe
Adobe
Description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote non-authenticated attacker can upload a malicious file and execute it on the server.
Successful exploitation of the vulnerability may result in entire system compromise.
Note, the vulnerability affects only installations with Apache HTTP server.
Remediation
Install updates from vendor's website.