CVE-2024-39322 | aimeos/ai-admin-jsonadm improper access control vulnerability allows editors to remove required records

aimeos/ai-admin-jsonadm is the Aimeos e-commerce JSON API for administrative tasks. In versions prior to 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2, improper access control allows editors to remove admin group and locale configuration in the Aimeos backend. Versions 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2 contain a fix for the issue.

Published: 2024-07-02 Last update: 2024-11-21 Assigner: [email protected] Source: [email protected]

NVD Status：Modified，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2024-39322

EPSS CVSS CWE GHSA Affected

Conclusion & alert: CVE-2024-39322 is rated Low Risk (32.8/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.12%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2024-39322

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-11-21	0.53%	0.12%	-0.40%
2	2025-11-18	0.11%	0.53%	+0.41%
3	2025-08-10	—	0.11%	—

Full EPSS history (9 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2024-39322

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.5	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:H) They need powerful rights—admin, root, or similar—before this pays off. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.2	4.2	[email protected]
5.5	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:H) They need powerful rights—admin, root, or similar—before this pays off. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.2	4.2	[email protected]

Weakness enumeration for CVE-2024-39322

CWE-863 MITRE ↗

GitHub Security Advisory for CVE-2024-39322

GHSA-8fj2-587w-5whr · Severity: medium · Ecosystem: composer — aimeos/ai-admin-jsonadm improper access control vulnerability allows editors to remove required records

Affected software / configurations for CVE-2024-39322

Vendor	Product	Version	Raw CPE
aimeos_project	ai-controller-frontend	< 2020.10.13	cpe:2.3:a:aimeos_project:ai-controller-frontend::::::::
aimeos_project	ai-controller-frontend	>= 2021.04.1, < 2021.10.6	cpe:2.3:a:aimeos_project:ai-controller-frontend::::::::
aimeos_project	ai-controller-frontend	>= 2022.04.1, < 2022.10.3	cpe:2.3:a:aimeos_project:ai-controller-frontend::::::::
aimeos_project	ai-controller-frontend	>= 2023.04.1, < 2023.10.4	cpe:2.3:a:aimeos_project:ai-controller-frontend::::::::
aimeos_project	ai-controller-frontend	2024.04.1	cpe:2.3:a:aimeos_project:ai-controller-frontend:2024.04.1:::::::*

References for CVE-2024-39322

URL	Tags
https://github.com/aimeos/ai-admin-jsonadm/commit/02a063fbd616d4e0a5aaf89f1642a856aa5ac5a5	Patch
https://github.com/aimeos/ai-admin-jsonadm/commit/16d013d0e28cecd19781f434d83fabebcc78cdc2	Patch
https://github.com/aimeos/ai-admin-jsonadm/commit/4c966e02bd52589c3c9382777cfe170eddf17b00	Patch
https://github.com/aimeos/ai-admin-jsonadm/commit/640954243ce85c2c303a00dd6481ed39b3d218fb	Patch
https://github.com/aimeos/ai-admin-jsonadm/commit/7d1c05e8368b0a6419820fe402deac9960500026	Patch
https://github.com/aimeos/ai-admin-jsonadm/security/advisories/GHSA-8fj2-587w-5whr	Third Party Advisory

cvelogic Threat Intelligence