Impact
Improper input validation (CWE‑20) in Adobe Commerce enables a high‑privileged attacker to bypass security controls and obtain unauthorized write access. The flaw requires user interaction; a victim must visit a maliciously crafted URL or interact with a compromised web page to trigger the vulnerability. Once the bypass is achieved, the attacker’s privileges are elevated, allowing write operations that would normally be restricted. The CVSS score of 3.4 reflects a low overall severity, but the change of scope to a high‑privileged state indicates significant potential impact if exploited.
Affected Systems
Adobe Commerce versions 2.4.9‑beta1, 2.4.8‑p4, 2.4.7‑p9, 2.4.6‑p14, 2.4.5‑p16, 2.4.4‑p17 and all earlier releases are affected. The affected product is Adobe Commerce (formerly Magento) provided by Adobe.
Risk and Exploitability
The CVSS score indicates low exploitability overall, but the requirement for user interaction reduces the probability that an attacker can gain the necessary context. The EPSS score is < 1%, indicating a very low exploitation probability, and the vulnerability is not listed in CISA KEV, suggesting no known public exploits. However, the scope change to a high‑privileged state means that once an attacker achieves a written string through a web request, they can execute write operations that normally would have been restricted, exposing the system to potential data tampering or persistence mechanisms.
OpenCVE Enrichment