CVE-2024-39319
Published: 26 September 2024
Summary
CVE-2024-39319 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Aimeos Aimeos Frontend Controller. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked in the top 31.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2868
Vulnerability details
aimeos/ai-controller-frontend is the Aimeos frontend controller package for e-commerce projects. Prior to versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, an insecure direct object reference allows an attacker to disable subscriptions and reviews of another customer. Versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8,…
more
and 2020.10.15 fix this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR vulnerability enables unauthorized manipulation of stored customer data (subscriptions and reviews).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.