High severity7.1NVD Advisory· Published Jul 2, 2024· Updated Apr 15, 2026
CVE-2024-39323
CVE-2024-39323
Description
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aimeos/ai-admin-graphqlPackagist | >= 2022.04.1, < 2022.10.10 | 2022.10.10 |
aimeos/ai-admin-graphqlPackagist | >= 2023.04.1, < 2023.10.6 | 2023.10.6 |
aimeos/ai-admin-graphqlPackagist | >= 2024.04.1, < 2024.04.6 | 2024.04.6 |
Patches
354d6b7cf4530Only allow super users to edit data of shared users
1 file changed · +22 −17
src/Admin/Graphql/Customer/Standard.php+22 −17 modified@@ -75,28 +75,33 @@ protected function updateItem( \Aimeos\MShop\Common\Manager\Iface $manager, \Aimeos\MShop\Common\Item\Iface $item, array $entry ) : \Aimeos\MShop\Common\Item\Iface { $view = $this->context()->view(); - $item = $item->fromArray( $entry ); + $siteId = (string) $this->context()->user()?->getSiteId(); - if( $view->access( ['super', 'admin'] ) ) { - $item->setGroups( array_unique( $entry['groups'] ?? [] ) ); - } - - if( $view->access( ['super', 'admin'] ) || $item->getId() === $this->context()->user() ) + if( $view->access( ['super'] ) || strlen( $siteId ) > 0 && !strncmp( $item->getSiteId(), $siteId, strlen( $siteId ) ) ) { - !isset( $entry['customer.password'] ) ?: $item->setPassword( $entry['customer.password'] ); - !isset( $entry['customer.code'] ) ?: $item->setCode( $entry['customer.code'] ); - } + $item = $item->fromArray( $entry ); - if( isset( $entry['address'] ) && $item instanceof \Aimeos\MShop\Common\Item\AddressRef\Iface ) { - $item = $this->updateAddresses( $manager, $item, $entry['address'] ); - } + if( $view->access( ['super', 'admin'] ) ) { + $item->setGroups( array_unique( $entry['groups'] ?? [] ) ); + } - if( isset( $entry['lists'] ) && $item instanceof \Aimeos\MShop\Common\Item\ListsRef\Iface ) { - $item = $this->updateLists( $manager, $item, $entry['lists'] ); - } + if( $view->access( ['super', 'admin'] ) || $item->getId() === $this->context()->user() ) + { + !isset( $entry['customer.password'] ) ?: $item->setPassword( $entry['customer.password'] ); + !isset( $entry['customer.code'] ) ?: $item->setCode( $entry['customer.code'] ); + } + + if( isset( $entry['address'] ) && $item instanceof \Aimeos\MShop\Common\Item\AddressRef\Iface ) { + $item = $this->updateAddresses( $manager, $item, $entry['address'] ); + } + + if( isset( $entry['lists'] ) && $item instanceof \Aimeos\MShop\Common\Item\ListsRef\Iface ) { + $item = $this->updateLists( $manager, $item, $entry['lists'] ); + } - if( isset( $entry['property'] ) && $item instanceof \Aimeos\MShop\Common\Item\PropertyRef\Iface ) { - $item = $this->updateProperties( $manager, $item, $entry['property'] ); + if( isset( $entry['property'] ) && $item instanceof \Aimeos\MShop\Common\Item\PropertyRef\Iface ) { + $item = $this->updateProperties( $manager, $item, $entry['property'] ); + } } return $item;
787028de0a3eAllow updating security related customer item properities only by admins and super users
1 file changed · +40 −0
src/Admin/Graphql/Customer/Standard.php+40 −0 modified@@ -42,4 +42,44 @@ public function query( string $domain ) : array return $list; } + + + /** + * Updates the item + * + * @param \Aimeos\MShop\Common\Manager\Iface $manager Manager object for the passed item + * @param \Aimeos\MShop\Common\Item\AdddressRef\Iface $item Item to update + * @param array $entry Associative list of key/value pairs of the item data + * @return \Aimeos\MShop\Common\Item\Iface Updated item + */ + protected function updateItem( \Aimeos\MShop\Common\Manager\Iface $manager, + \Aimeos\MShop\Common\Item\Iface $item, array $entry ) : \Aimeos\MShop\Common\Item\Iface + { + $view = $this->context()->view(); + $item = $item->fromArray( $entry ); + + if( $view->access( ['super', 'admin'] ) ) { + $item->setGroups( array_unique( $entry['groups'] ?? [] ) ); + } + + if( $view->access( ['super', 'admin'] ) || $item->getId() === $this->context()->user() ) + { + !isset( $entry['customer.password'] ) ?: $item->setPassword( $entry['customer.password'] ); + !isset( $entry['customer.code'] ) ?: $item->setCode( $entry['customer.code'] ); + } + + if( isset( $entry['address'] ) && $item instanceof \Aimeos\MShop\Common\Item\AddressRef\Iface ) { + $item = $this->updateAddresses( $manager, $item, $entry['address'] ); + } + + if( isset( $entry['lists'] ) && $item instanceof \Aimeos\MShop\Common\Item\ListsRef\Iface ) { + $item = $this->updateLists( $manager, $item, $entry['lists'] ); + } + + if( isset( $entry['property'] ) && $item instanceof \Aimeos\MShop\Common\Item\PropertyRef\Iface ) { + $item = $this->updateProperties( $manager, $item, $entry['property'] ); + } + + return $item; + } }
2d89d98cdcadAllow updating security related customer item properities only by admins and super users
1 file changed · +40 −0
src/Admin/Graphql/Customer/Standard.php+40 −0 modified@@ -42,4 +42,44 @@ public function query( string $domain ) : array return $list; } + + + /** + * Updates the item + * + * @param \Aimeos\MShop\Common\Manager\Iface $manager Manager object for the passed item + * @param \Aimeos\MShop\Common\Item\AdddressRef\Iface $item Item to update + * @param array $entry Associative list of key/value pairs of the item data + * @return \Aimeos\MShop\Common\Item\Iface Updated item + */ + protected function updateItem( \Aimeos\MShop\Common\Manager\Iface $manager, + \Aimeos\MShop\Common\Item\Iface $item, array $entry ) : \Aimeos\MShop\Common\Item\Iface + { + $view = $this->context()->view(); + $item = $item->fromArray( $entry ); + + if( $view->access( ['super', 'admin'] ) ) { + $item->setGroups( array_unique( $entry['groups'] ?? [] ) ); + } + + if( $view->access( ['super', 'admin'] ) || $item->getId() === $this->context()->user() ) + { + !isset( $entry['customer.password'] ) ?: $item->setPassword( $entry['customer.password'] ); + !isset( $entry['customer.code'] ) ?: $item->setCode( $entry['customer.code'] ); + } + + if( isset( $entry['address'] ) && $item instanceof \Aimeos\MShop\Common\Item\AddressRef\Iface ) { + $item = $this->updateAddresses( $manager, $item, $entry['address'] ); + } + + if( isset( $entry['lists'] ) && $item instanceof \Aimeos\MShop\Common\Item\ListsRef\Iface ) { + $item = $this->updateLists( $manager, $item, $entry['lists'] ); + } + + if( isset( $entry['property'] ) && $item instanceof \Aimeos\MShop\Common\Item\PropertyRef\Iface ) { + $item = $this->updateProperties( $manager, $item, $entry['property'] ); + } + + return $item; + } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vc7j-99jw-jrqmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-39323ghsaADVISORY
- github.com/aimeos/ai-admin-graphql/commit/2d89d98cdcad880a9244b50736b08c1a171379canvdWEB
- github.com/aimeos/ai-admin-graphql/commit/54d6b7cf4530cb3b95f52775c24056c48e6d26e9nvdWEB
- github.com/aimeos/ai-admin-graphql/commit/787028de0a3ecbf3e9f63ab1454eac99ce7693a9nvdWEB
- github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-vc7j-99jw-jrqmnvdWEB
News mentions
0No linked articles in our index yet.