Configured Commerce Security Advisory - COM-2024-02

  • Updated

Brief Description:

A medium-severity issue concerning business logic was identified in the Commerce B2B application, which allows storefront visitors to purchase discontinued products in specific scenarios where requests are altered before reaching the server.

 

Affected Versions:

All versions before 5.2.2408 (STS) and 5.2.2408 (LTS).

 

Solutions and Mitigations:

The application has been updated to prevent the purchase of discontinued products by validating product status prior to moving into the purchase workflow.

 

For Users that Cannot Upgrade:

If you are unable to upgrade, the following mitigations are suggested:

  • Be aware of purchases submitted that contain items that aren’t available. Triggering this behavior isn’t trivial, but possible.
  • Consider removing discontinued products from the storefront.

 

CVSS and Severity:

CVSS 5.9, Medium

 

CVE ID:

CVE-2025-22384

 

Date Published:

Dec 13. 2024