← back
CVE-2024-37296

Aimeos HTML client vulnerable to digital products download without proper payment status check

CVSS 5.3 MEDIUMEPSS 0.5%CWE-841CWE-862
The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn't succeed. Versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5 fix this issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
aimeos · ai-client-html

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/aimeos/ai-client-html/commit/12d8aad1a373bf9d350872501adec3e222164f83https://github.com/aimeos/ai-client-html/commit/5a7249769142b3ce70959ab1fb70c7e7c251e214https://github.com/aimeos/ai-client-html/commit/6460ffe8f4929d864164aa96c5b49eca5326d975https://github.com/aimeos/ai-client-html/commit/7f01d2f4fbc67f5231fd84adeb835d28252b8409https://github.com/aimeos/ai-client-html/commit/fc611ff9a57e421d0ad9d99346b561cea515c5f0https://github.com/aimeos/ai-client-html/security/advisories/GHSA-v4g2-cm5v-cxv7