CVE-2024-39397

CRITICAL Year: 2024
CVSS v3 Score
9.0
Critical
Weakness Type
CWE-434
View all →

Vulnerability Description

Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution by an attacker. An attacker could exploit this vulnerability by uploading a malicious file which can then be executed on the server. Exploitation of this issue does not require user interaction, but attack complexity is high and scope is changed.

Related Vulnerabilities

CVE-2019-4130

CRITICAL
CVSS:9.0(Critical)

IBM Cloud Pak System 2.3 and 2.3.0.1 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. IBM X-Force ID: 158280.

CWE-4342019

CVE-2022-0945

CRITICAL
CVSS:9.0(Critical)

Stored XSS viva axd and cshtml file upload in star7th/showdoc in GitHub repository star7th/showdoc prior to v2.10.4.

CWE-4342022

CVE-2022-0960

CRITICAL
CVSS:9.0(Critical)

Stored XSS viva .properties file upload in GitHub repository star7th/showdoc prior to 2.10.4.

CWE-4342022

CVE-2022-0962

CRITICAL
CVSS:9.0(Critical)

Stored XSS viva .webma file upload in GitHub repository star7th/showdoc prior to 2.10.4.

CWE-4342022

CVE-2022-1045

CRITICAL
CVSS:9.0(Critical)

Stored XSS viva .svg file upload in GitHub repository polonel/trudesk prior to v1.2.0.

CWE-4342022

CVE-2022-1345

CRITICAL
CVSS:9.0(Critical)

Stored XSS viva .svg file upload in GitHub repository causefx/organizr prior to 2.1.1810. This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking,...

CWE-4342022