Arbitrary file upload in Adobe Commerce (formerly Magento Commerce) and Magento Open Source - CVE-2024-39397

 

Arbitrary file upload in Adobe Commerce (formerly Magento Commerce) and Magento Open Source - CVE-2024-39397

Published: August 13, 2024


Vulnerability identifier: #VU95942
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red
CVE-ID: CVE-2024-39397
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Adobe
Affected software:
Adobe Commerce (formerly Magento Commerce)
Magento Open Source

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload. A remote non-authenticated attacker can upload a malicious file and execute it on the server.

Successful exploitation of the vulnerability may result in entire system compromise.

Note, the vulnerability affects only installations with Apache HTTP server.


How to mitigate CVE-2024-39397

Install updates from vendor's website.

Sources