CVE-2024-39408: Magento Open Source Cross-Site Request Forgery vulnerability
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.33288%
CWE
Published
8/14/2024
Updated
9/16/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.4.7-p1, < 2.4.7-p2 | 2.4.7-p2 |
| magento/community-edition | composer | = 2.4.7 | |
| magento/community-edition | composer | >= 2.4.6-p1, < 2.4.6-p7 | 2.4.6-p7 |
| magento/community-edition | composer | = 2.4.6 | |
| magento/community-edition | composer | >= 2.4.5-p1, < 2.4.5-p9 | 2.4.5-p9 |
| magento/community-edition | composer | = 2.4.5 | |
| magento/community-edition | composer | < 2.4.4-p10 | 2.4.4-p10 |
| magento/community-edition | composer | = 2.4.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability pattern suggests missing CSRF protections in state-changing endpoints. While exact patch details are unavailable, analysis focuses on: 1) Common user interaction points mentioned in advisories 2) Magento's typical CSRF protection patterns using @Csrf annotations 3) Controller actions handling minor data modifications matching 'unauthorized actions' description 4) Historical CSRF issues in customer-facing endpoints. Confidence is medium due to indirect evidence but strong correlation with Magento's security patterns.