Vulnerable File Upload Mechanism in Aimeos E-commerce Framework
CVE-2024-37295

7.2HIGH

Key Information:

Vendor: Aimeos
Status: Aimeos-core
Vendor: CVE Published:; 11 June 2024

What is CVE-2024-37295?

Aimeos is an open-source e-commerce framework for online shops, which has been found to have a critical vulnerability affecting versions up to 2024.04.4. The issue allows an authenticated user with administrative privileges to upload files that masquerade as images but can actually contain malicious PHP code. This code, once uploaded, could be executed on the web server, leading to unauthorized access and potential exploitation of the system. Users are strongly advised to upgrade to version 2024.04.5 to mitigate this vulnerability and enhance the security of their e-commerce applications. For more details, refer to the security advisory at GitHub.

Affected Version(s)

aimeos-core >= 2024.04.1, < 2024.04.5

References

https://github.com/aimeos/aimeos-core/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2024
Vulnerability Reserved
Jun 5, 2024