CVE-2024-45116
Magento Open Source Cross-Site Scripting (XSS) vulnerability
8.1
HIGH
CVSS 3.1
EPSS 1.8%
Description
Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could be exploited to execute arbitrary code. If an admin attacker can trick a user into clicking a specially crafted link or submitting a form, malicious scripts may be executed within the context of the victim's browser and have high impact on confidentiality and integrity. Exploitation of this issue requires user interaction.
How to fix CVE-2024-45116
To remediate CVE-2024-45116, upgrade the affected package to a fixed version below.
- —upgrade to 2.4.7-p3 or later
Is CVE-2024-45116 being exploited?
Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2.4.7-beta1, < 2.4.7-p3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N |
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N |