Adobe Commerce and Magento Open Source Incorrect Authorization Vulnerability Allowing Security Feature Bypass

A vulnerability allowing incorrect authorization has been identified in Adobe Commerce and Magento Open Source. This issue affects several versions, including Adobe Commerce 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier, as well as Magento Open Source 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13 and 2.4.5-p15. The vulnerability arises from improper authorization checks, allowing low-privileged attackers to bypass security measures and gain unauthorized access to certain features. Notably, this exploitation does not require any user interaction.

Impact

Exploitation of this vulnerability could lead to unauthorized access to features, allowing attackers to bypass security measures and potentially exploit other vulnerabilities that require higher privileges.

Remediation

Users are advised to update to the latest versions of Adobe Commerce or Magento Open Source. For Adobe Commerce, the updated versions are 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16 and 2.4.4-p17. For Magento Open Source, the updated versions are 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14 and 2.4.5-p16.