Adobe Commerce and Magento Open Source Incorrect Authorization Vulnerability Allowing Privilege Escalation

A vulnerability allowing incorrect authorization has been identified in Adobe Commerce and Magento Open Source. This issue affects several versions, including Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier, as well as Magento Open Source versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14 and earlier. The vulnerability allows a low-privileged attacker to bypass security measures and gain unauthorized access to elevated privileges, significantly increasing the potential for integrity impact. Notably, exploitation of this vulnerability does not require user interaction.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing attackers to gain elevated rights within the application.

Remediation

Users are advised to update to the latest versions of Adobe Commerce or Magento Open Source. For Adobe Commerce, the updated version is 2.4.9-alpha3 for those on 2.4.9-alpha2, 2.4.8-p3 for 2.4.8-p2 and earlier, 2.4.7-p8 for 2.4.7-p7 and earlier, 2.4.6-p13 for 2.4.6-p12 and earlier, 2.4.5-p15 for 2.4.5-p14 and earlier, and 2.4.4-p16 for 2.4.4-p15 and earlier. For Magento Open Source, the updated version is 2.4.9-alpha3 for 2.4.9-alpha2, 2.4.8-p3 for 2.4.8-p2 and earlier, 2.4.7-p8 for 2.4.7-p7 and earlier, 2.4.6-p13 for 2.4.6-p12 and earlier, and 2.4.5-p15 for 2.4.5-p14 and earlier.