CVE-2024-34110

Description

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution. A high-privilege attacker could exploit this vulnerability by uploading a malicious file to the system, which could then be executed. Exploitation of this issue does not require user interaction.

How to fix CVE-2024-34110

To remediate CVE-2024-34110, upgrade the affected package to a fixed version below.

—upgrade to 2.4.7-p1 or later

Is CVE-2024-34110 being exploited?

Moderate — EPSS is 5.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 2.4.7-alpha0, < 2.4.7-p1, >= 2.4.6-alpha0, < 2.4.6-p6, >= 2.4.5-alpha0, < 2.4.5-p8, >= 2.4.4-alpha0, < 2.4.4-p9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References (1)

WEBhelpx.adobe.com/security/products/magento/apsb24-40.html