Adobe Commerce and Magento Open Source Server-Side Request Forgery Vulnerability Allowing Security Feature Bypass

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Adobe Commerce and Magento Open Source. This vulnerability affects several versions, including Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier, as well as Magento Open Source versions 2.4.9-beta1, 2.4.8-p4 and earlier, 2.4.7-p9 and earlier, and 2.4.6-p14 and earlier. The vulnerability could lead to a security feature bypass, allowing unauthorized read access. Exploitation requires user interaction, such as visiting a maliciously crafted URL or interacting with a compromised web page.

Impact

Exploitation of this vulnerability could bypass security measures, allowing unauthorized read access.

Remediation

Users are advised to update to the latest versions of Adobe Commerce or Magento Open Source. The latest versions for Adobe Commerce are 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17 and 2.4.4-p18. For Magento Open Source, the latest versions are 2.4.9, 2.4.8-p5, 2.4.7-p10 and 2.4.6-p15.