THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE
PUBLISHED

CVE-2024-39324

aimeos/ai-admin-graphql improper access control vulnerability allows editors to manage own services

AssignerGitHub_M
Reserved2024-06-21
Published2024-07-02
Updated2024-07-09

Description

aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.



LOW: 3.8CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

Problem types

CWE-1220: Insufficient Granularity of Access Control

CWE-863: Incorrect Authorization

Product status

>= 2022.04.1, < 2022.10.10
affected

>= 2023.04.1, < 2023.10.6
affected

= 2024.04.1
affected

References

https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-jj68-cp4v-98qf

https://github.com/aimeos/ai-admin-graphql/commit/4eabc2b973509ffa5924e7f88c8f87ee96e93b38

https://github.com/aimeos/ai-admin-graphql/commit/687059d7eb2e1d55a09ed72dad3814f35edad038

https://github.com/aimeos/ai-admin-graphql/commit/a839a5adf16fee4221d444b7d2f5140d8cabf0ac

https://github.com/aimeos/ai-admin-graphql/commit/acbb044620f4ff8e8d78a775cd205ec47cf119b3

cve.org CVE-2024-39324

nvd.nist.gov CVE-2024-39324

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-39324
© Copyright 2024 THREATINT. Made in Cyprus with +