CVE-2024-37296

Summary

The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn't succeed. Versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5 fix this issue.

Affected Software

VendorProductVersion RangeStatus
aimeosai-client-html>= 2024.04.1, < 2024.04.5affected
aimeosai-client-html>= 2023.04.1, < 2023.10.14affected
aimeosai-client-html>= 2022.04.1, < 2022.10.12affected
aimeosai-client-html>= 2021.04.1, < 2021.10.21affected
aimeosai-client-html>= 2020.04.1, < 2020.10.27affected

Weaknesses

  • CWE-841: CWE-841: Improper Enforcement of Behavioral Workflow
  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References