Vulnerability Report

CVE-2024-29888

Title: Saleor Saleor Arbitrary File Access

Arbitrary File Access

Proof Of Concept

No public PoC currently indexed for CVE-2024-29888.

CWE Category CWE-359

Published Date Mar 27, 2024

Modified Date Jan 08, 2026

Exploit Status Not Found

Score 4.2 CVSS v3.1

Exploit Probability (EPSS)

0.54%

Vulnerability Summary

CVE-2024-29888: Saleor is an e-commerce platform that serves high-volume companies. When using `Pickup: Local stock only` click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect address. This issue has been patched in versions: `3.14.61`, `3.15.37`, `3.16.34`, `3.17.32`, `3.18.28`, `3.19.15`.

Impacted Vendors

mirumee 1

saleor 1

Reference Links

https://github.com/saleor/saleor/commit/22a1aa3ef0bc54156405f69146788016a7f3f761 https://github.com/saleor/saleor/commit/39abb0f4e4fe6503f81bfbb871227e4f70bcdd5c https://github.com/saleor/saleor/commit/47cedfd7d6524d79bdb04708edcdbb235874de6b https://github.com/saleor/saleor/commit/997f7ea4f576543ec88679a86bfe1b14f7f2ff26 https://github.com/saleor/saleor/commit/b7cecda8b603f7472790150bb4508c7b655946d4 https://github.com/saleor/saleor/commit/d8ba545c16ad3153febc5b5be8fd2ef75da9fc95 https://github.com/saleor/saleor/commit/dccc2c842b4e2e09470929c80f07dc137e439182 https://github.com/saleor/saleor/commit/ef003c76a304c89ddb2dc65b7f1d5b3b2ba1c640 https://github.com/saleor/saleor/pull/15694 https://github.com/saleor/saleor/pull/15697 https://github.com/saleor/saleor/security/advisories/GHSA-mrj3-f2h4-7w45 https://github.com/saleor/saleor/commit/22a1aa3ef0bc54156405f69146788016a7f3f761 https://github.com/saleor/saleor/commit/39abb0f4e4fe6503f81bfbb871227e4f70bcdd5c https://github.com/saleor/saleor/commit/47cedfd7d6524d79bdb04708edcdbb235874de6b https://github.com/saleor/saleor/commit/997f7ea4f576543ec88679a86bfe1b14f7f2ff26 https://github.com/saleor/saleor/commit/b7cecda8b603f7472790150bb4508c7b655946d4 https://github.com/saleor/saleor/commit/d8ba545c16ad3153febc5b5be8fd2ef75da9fc95 https://github.com/saleor/saleor/commit/dccc2c842b4e2e09470929c80f07dc137e439182 https://github.com/saleor/saleor/commit/ef003c76a304c89ddb2dc65b7f1d5b3b2ba1c640 https://github.com/saleor/saleor/pull/15694 https://github.com/saleor/saleor/pull/15697 https://github.com/saleor/saleor/security/advisories/GHSA-mrj3-f2h4-7w45

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

4.2

Attack Vector

NETWORK

Complexity

HIGH

Privileges

N/A

Interaction

REQUIRED

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

5.4

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

REQUIRED

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2024-29888 Exploits & PoCs (Proof Of Concept)

No public PoCs found in our database for this CVE.

January 08, 2026 MODIFIED

Vulnerability data updated via NVD.

January 08, 2026 MODIFIED

Vulnerability data updated via NVD.

November 21, 2024 MODIFIED

Vulnerability data or affected products updated.

March 27, 2024 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity HIGH

Privileges N/A

Interaction REQUIRED

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Stack

No specific products linked.