Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.

Affected Packages

Packagist magento/community-edition

Affected versions: 0 (fixed in 2.3.7-p4)

Packagist magento/community-edition

Affected versions: 2.4.0 (fixed in 2.4.3-p3)

Packagist magento/community-edition

Affected versions: 2.4.4 (fixed in 2.4.5)

Related CVEs

CVE-2022-42344

Key Information

GHSA ID

GHSA-297f-r9w7-w492

Published

October 20, 2022 7:00 PM

Last Modified

April 23, 2024 5:24 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

magento/community-edition

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 1, 2025 6:44 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.