4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-39410

GHSA ID

GHSA-4323-f82v-f6jr

EPSS Score

0.33288%

CWE

CWE-352

Published

8/14/2024

Updated

9/16/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-39410

CVE-2024-39410: Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability

Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-39410

GHSA ID

GHSA-4323-f82v-f6jr

EPSS Score

0.33288%

CWE

CWE-352

Published

8/14/2024

Updated

9/16/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	>= 2.4.7-p1, < 2.4.7-p2	2.4.7-p2
magento/community-edition	composer	= 2.4.7
magento/community-edition	composer	>= 2.4.6-p1, < 2.4.6-p7	2.4.6-p7
magento/community-edition	composer	= 2.4.6
magento/community-edition	composer	>= 2.4.5-p1, < 2.4.5-p9	2.4.5-p9
magento/community-edition	composer	= 2.4.5
magento/community-edition	composer	< 2.4.4-p10	2.4.4-p10
magento/community-edition	composer	= 2.4.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

CSRF vulnerabilities in Magento typically stem from state-changing controller actions missing CSRF token validation. The advisory describes unauthorized actions requiring user interaction, pointing to frontend/backend controllers handling sensitive operations. Common targets include store management (Adminhtml) and user account actions (Customer). While exact patched functions aren't visible without commit diffs, historical Magento CSRF fixes often involve adding FormKey validation or @Csrf annotations to such controllers. Confidence is medium due to pattern-matching against Magento's architecture and CWE-352 characteristics.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto Op*n Sour** v*rsions *.*.*-p*, *.*.*-p*, *.*.*-p*, *.*.*-p* *n* **rli*r *r* *****t** *y * *ross-Sit* R*qu*st *or**ry (*SR*) vuln*r**ility t**t *oul* *llow *n *tt**k*r to *yp*ss s**urity ***tur*s *n* p*r*orm minor un*ut*oris** **tions on ****l

Reasoning

*SR* vuln*r**iliti*s in M***nto typi**lly st*m *rom st*t*-***n*in* *ontroll*r **tions missin* *SR* tok*n v*li**tion. T** **visory **s*ri**s un*ut*oriz** **tions r*quirin* us*r int*r**tion, pointin* to *ront*n*/***k*n* *ontroll*rs **n*lin* s*nsitiv* o

4.3

Basic Information

Concerned about an active attack path?

CVE-2024-39410: Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI