CVE-2024-45120
October 10, 2024
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could lead to a security feature bypass. An attacker could exploit this vulnerability to alter a condition between the check and the use of a resource, having a low impact on integrity. Exploitation of this issue requires user interaction.
Affected Packages
magento/community-edition (PHP):
Affected version(s) >=2.4.4-p2 <2.4.5-p10Fix Suggestion:
Update to version 2.4.5-p10magento/community-edition (PHP):
Affected version(s) >=2.4.7-beta1 <2.4.7-p3Fix Suggestion:
Update to version 2.4.7-p3magento/community-edition (PHP):
Affected version(s) >=dev-2.5-develop <=dev-32368-qraphql-get-cart-typeFix Suggestion:
Update to version no_fixmagento/community-edition (PHP):
Affected version(s) >=2.4.5-p2 <2.4.6-p8Fix Suggestion:
Update to version 2.4.6-p8magento/community-edition (PHP):
Affected version(s) >=dev-2c18c9e <2.4.4-p11Fix Suggestion:
Update to version 2.4.4-p11Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
2.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Time-of-check Time-of-use (TOCTOU) Race Condition
EPSS
Base Score:
0.07
