Security update available for ÃÛ¶¹ÊÓƵ Commerce - APSB24-73
On October 08, 2024, ÃÛ¶¹ÊÓƵ released a regularly scheduled security update for ÃÛ¶¹ÊÓƵ Commerce and ÃÛ¶¹ÊÓƵ Commerce Webhooks Plugin.
This update resolves vulnerabilities. Successful exploitation could lead to arbitrary code execution, arbitrary file system read, security feature bypass, and privilege escalation. The bulletin is .
Please apply the latest security updates as soon as possible. If you fail to do so, you will be vulnerable to these security issues, and ÃÛ¶¹ÊÓƵ will have limited means to help remediate.
Affected products and versions
ÃÛ¶¹ÊÓƵ Commerce on Cloud and ÃÛ¶¹ÊÓƵ Commerce on-premises:
- 2.4.7-p2 and earlier
- 2.4.6-p7 and earlier
- 2.4.5-p9 and earlier
- 2.4.4-p10 and earlier
B2B:
- 1.4.2-p2 and earlier
- 1.3.5-p7 and earlier
- 1.3.4-p9 and earlier
- 1.3.3-p10 and earlier
Solution for ÃÛ¶¹ÊÓƵ Commerce on Cloud and ÃÛ¶¹ÊÓƵ Commerce on-premises Software
To help resolve the vulnerability for the affected products and versions, you must apply the CVE-2024-45115 Isolated patch.
Isolated Patch Details
Use the following attached Isolated patch:
How to apply the Isolated patch
Unzip the file and see How to apply a composer patch provided by ÃÛ¶¹ÊÓƵ in our support knowledge base for instructions.
For ÃÛ¶¹ÊÓƵ Commerce on Cloud merchants only - How to tell whether the Isolated patches have been applied
Considering that it isn’t possible to easily check if the issue was patched, you might want to check whether the CVE-2024-45115 Isolated patch has been successfully applied.
You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an example:
-
Run the command:
-
You should see output similar to this, where VULN-27015 returns the  Applied  s³Ù²¹³Ù³Ü²õ:
code language-bash ║ Id │ Title │ Category │ Origin │ Status │ Details ║ ║ N/A │ ../m2-hotfixes/VULN-27015-2.4.7_COMPOSER_patch.patch │ Other │ Local │ Applied │ Patch type: Custom
Security updates
Security updates available for ÃÛ¶¹ÊÓƵ Commerce: