4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-39409

GHSA ID

GHSA-rf4q-m23c-7q8r

EPSS Score

0.33288%

CWE

CWE-352

Published

8/14/2024

Updated

9/16/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-39409

CVE-2024-39409: Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability

Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-39409

GHSA ID

GHSA-rf4q-m23c-7q8r

EPSS Score

0.33288%

CWE

CWE-352

Published

8/14/2024

Updated

9/16/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	>= 2.4.7-p1, < 2.4.7-p2	2.4.7-p2
magento/community-edition	composer	= 2.4.7
magento/community-edition	composer	>= 2.4.6-p1, < 2.4.6-p7	2.4.6-p7
magento/community-edition	composer	= 2.4.6
magento/community-edition	composer	>= 2.4.5-p1, < 2.4.5-p9	2.4.5-p9
magento/community-edition	composer	= 2.4.5
magento/community-edition	composer	< 2.4.4-p10	2.4.4-p10
magento/community-edition	composer	= 2.4.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description indicates missing CSRF protections for minor actions. Magento's CSRF protection relies on validating form_key parameters in state-changing requests. Without commit diffs, we infer vulnerable endpoints are controller actions handling POST/PUT requests without proper CSRF token checks. The medium confidence reflects the lack of explicit patch details, but the pattern matches Magento's typical CSRF fixes where controllers omit form_key validation. The 'minor actions' description suggests non-critical endpoints (e.g., UI preferences, notifications) rather than core administrative functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto Op*n Sour** v*rsions *.*.*-p*, *.*.*-p*, *.*.*-p*, *.*.*-p* *n* **rli*r *r* *****t** *y * *ross-Sit* R*qu*st *or**ry (*SR*) vuln*r**ility t**t *oul* *llow *n *tt**k*r to *yp*ss s**urity ***tur*s *n* p*r*orm minor un*ut*oris** **tions on ****l

Reasoning

T** vuln*r**ility **s*ription in*i**t*s missin* *SR* prot**tions *or minor **tions. M***nto's *SR* prot**tion r*li*s on v*li**tin* *orm_k*y p*r*m*t*rs in st*t*-***n*in* r*qu*sts. Wit*out *ommit *i**s, w* in**r vuln*r**l* *n*points *r* *ontroll*r **ti

4.3

Basic Information

Concerned about an active attack path?

CVE-2024-39409: Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI