Auth bypass in Aimeos Ai-controller-frontend
CVE-2024-39319
aimeos/ai-controller-frontend is the Aimeos frontend controller package for e-commerce projects. Prior to versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, an insecure direct object reference allows an attacker to disable…
Vulnerability class: IDOR (Insecure Direct Object Reference)
EPSS: 0.006 (68.7th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.
Affected products
- Aimeos Ai-controller-frontend — versions = 2024.04.1, >= 2023.04.1, < 2023.10.9, >= 2022.04.1, < 2022.10.8
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.com/aimeos/ai-controller-frontend/security/advisories/GHSA-rw3j-574h-mrcq (x_refsource_CONFIRM)
- https://github.com/aimeos/ai-controller-frontend/commit/2ad5c062a629af374da470a319914c321c9bfee2 (x_refsource_MISC)
- https://github.com/aimeos/ai-controller-frontend/commit/53eebdc51fae34440dfd768a7811c169c7779aa9 (x_refsource_MISC)
- https://github.com/aimeos/ai-controller-frontend/commit/5833db6d18a889b94dc036dfb84b6f5cca73fbac (x_refsource_MISC)
- https://github.com/aimeos/ai-controller-frontend/commit/6ea6b82f5a1fc18c574cb6f97225930d139b14a5 (x_refsource_MISC)
- https://github.com/aimeos/ai-controller-frontend/commit/700da5ea2b622724b68c8684346bf74ac3bbca9b (x_refsource_MISC)
- https://github.com/aimeos/ai-controller-frontend/commit/7c93139f86eff9ec26b117a8918e06ce6cc0000f (x_refsource_MISC)
- https://github.com/aimeos/ai-controller-frontend/commit/ae7baa3f2fbf594c2c1e4b1aae83364a84b241a6 (x_refsource_MISC)
- https://github.com/aimeos/ai-controller-frontend/commit/cd8c95aa4663f54bd66a69c5952f2e42405426f3 (x_refsource_MISC)
- https://github.com/aimeos/ai-controller-frontend/commit/d4eac06f3a25330c089d8be4397f2ab1936dd9bb (x_refsource_MISC)
Frequently asked questions
- What is CVE-2024-39319?
- CVE-2024-39319 is a medium-severity vulnerability in Aimeos Ai-controller-frontend, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 5.3/10. Published 2024-09-26.
- How severe is CVE-2024-39319?
- Medium severity. CVSS v3 base score is 5.3 out of 10.
- Is CVE-2024-39319 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.