CVE-2024-37296— Aimeos HTML client vulnerable to digital products download without proper payment status check

CVSS 5.3 · Medium EPSS 0.28% · P51 Updated Jan 25, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-37296

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Aimeos HTML client vulnerable to digital products download without proper payment status check

Source: NVD (National Vulnerability Database)

Vulnerability Description

The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn't succeed. Versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5 fix this issue.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

行为工作流的不恰当实施

Source: NVD (National Vulnerability Database)

Vulnerability Title

Aimeos 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Aimeos是Aimeos开源的一个面向在线商店的开源电子商务框架。 Aimeos 2020.10.27、2021.10.21、2022.10.12、2023.10.14 和 2024.04.5 之前版本存在安全漏洞，该漏洞源于在线商店出售的数字下载内容无需有效付款即可下载。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
aimeos	ai-client-html	>= 2024.04.1, < 2024.04.5	-

II. Public POCs for CVE-2024-37296

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-37296

请登录查看更多情报信息。

https://github.com/aimeos/ai-client-html/security/advisories/GHSA-v4g2-cm5v-cxv7x_refsource_CONFIRM
https://github.com/aimeos/ai-client-html/commit/7f01d2f4fbc67f5231fd84adeb835d28252b8409x_refsource_MISC
https://github.com/aimeos/ai-client-html/commit/fc611ff9a57e421d0ad9d99346b561cea515c5f0x_refsource_MISC
https://github.com/aimeos/ai-client-html/commit/12d8aad1a373bf9d350872501adec3e222164f83x_refsource_MISC
https://github.com/aimeos/ai-client-html/commit/5a7249769142b3ce70959ab1fb70c7e7c251e214x_refsource_MISC
https://github.com/aimeos/ai-client-html/commit/6460ffe8f4929d864164aa96c5b49eca5326d975x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2024-37296

Same Patch Batch · aimeos · 2024-06-11 · 3 CVEs total

CVE-2024-37295	7.2 HIGH	Aimeos Core remote code execution in web server context
CVE-2024-37294	5.5 MEDIUM	Aimeos denial of service vulnerability in SaaS and marketplace setups

IV. Related Vulnerabilities

Same product: ai-client-html

CVE-2024-38516
Aimeos HTML client may potentially reveal sensitive informat

Same vendor: aimeos

Same weakness: CWE-841

V. Comments for CVE-2024-37296

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-37296— Aimeos HTML client vulnerable to digital products download without proper payment status check

I. Basic Information for CVE-2024-37296

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-37296

III. Intelligence Information for CVE-2024-37296

Same Patch Batch · aimeos · 2024-06-11 · 3 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2024-37296

Leave a comment