Configured Commerce Security Advisory - COM-2024-05

  • Updated

Brief Description: 

For newly created accounts the Commerce B2B application did not require email confirmation. This medium-severity issue allowed the mass creation of accounts which could affect database storage as well as non-requested storefront accounts to be created on behalf of visitors.  

 

Affected Versions: 

All versions prior to 5.2.2408 (STS) and 5.2.2408 (LTS). 

 

Solutions and Mitigations: 
The application now will not create an account for a visitor unless the email address tied to that account is validated with a link sent to the email specified. 

 

For Users that Cannot Upgrade: 
If you are unable to upgrade to fixed versions the recommendation is to occasionally check database space and prune any accounts that have no activity or many that are made within very small time windows. 

 

CVSS and Severity: 
CVSS 5.9, Medium 

 

CVE ID: 
CVE-2025-22385

 

Date Published: 
Dec 13, 2024