Adobe Commerce | Improper Access Control (CWE-284)

CVE-2024-45118 is an Improper Access Control vulnerability affecting Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10, and earlier. The root cause is a failure to properly enforce access controls, which allows a low-privileged attacker to bypass intended security restrictions without requiring user interaction [1].

An attacker with low privileges can exploit this vulnerability by sending crafted requests to the affected application, circumventing the access control checks that would normally prevent unauthorized actions. The attack does not require any special network position or user interaction, making it easier to execute [1].

Successful exploitation could lead to a high impact on integrity, meaning the attacker could potentially modify data or settings that should be protected. This bypass of security measures undermines the application's access control model and could enable further abuse of privileged functionality [1].

Adobe has addressed this vulnerability in security updates for the affected versions. Users are strongly advised to upgrade to the latest patched releases. The vulnerability has been publicly disclosed, but no evidence of active exploitation in the wild has been reported at the time of publication [1].