Vulnerability Report

CVE-2024-31205

Title: Saleor Saleor Arbitrary File Access

Arbitrary File Access

Proof Of Concept

No public PoC currently indexed for CVE-2024-31205.

CWE Category CWE-352

Published Date Apr 08, 2024

Modified Date Jan 07, 2026

Exploit Status Not Found

Score 4.2 CVSS v3.1

Exploit Probability (EPSS)

0.19%

Vulnerability Summary

CVE-2024-31205: Saleor is an e-commerce platform. Starting in version 3.10.0 and prior to versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19, an attacker may bypass cross-set request forgery (CSRF) validation when calling refresh token mutation with empty string. When a user provides an empty string in `refreshToken` mutation, while the token persists in `JWT_REFRESH_TOKEN_COOKIE_NAME` cookie, application omits validation against CSRF token and returns valid access token. Versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19 contain a patch for the issue. As a workaround, one may replace `saleor.graphql.account.mutations.authentication.refresh_token.py.get_refresh_token`. This will fix the issue, but be aware, that it returns `JWT_MISSING_TOKEN` instead of `JWT_INVALID_TOKEN`.

Impacted Vendors

mirumee 1

saleor 1

Reference Links

https://github.com/saleor/saleor/commit/36699c6f5c99590d24f46e3d5c5b1a3c2fd072e7 https://github.com/saleor/saleor/security/advisories/GHSA-ff69-fwjf-3c9w https://github.com/saleor/saleor/commit/36699c6f5c99590d24f46e3d5c5b1a3c2fd072e7 https://github.com/saleor/saleor/security/advisories/GHSA-ff69-fwjf-3c9w

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

4.2

Attack Vector

NETWORK

Complexity

HIGH

Privileges

N/A

Interaction

REQUIRED

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

5.4

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

REQUIRED

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2024-31205 Exploits & PoCs (Proof Of Concept)

No public PoCs found in our database for this CVE.

January 07, 2026 MODIFIED

Vulnerability data updated via NVD.

November 21, 2024 MODIFIED

Vulnerability data or affected products updated.

April 08, 2024 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity HIGH

Privileges N/A

Interaction REQUIRED

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Stack

No specific products linked.