CVE-2025-22384

High

Published: 04 January 2025

Published

04 January 2025

Modified

20 May 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0027 50.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue concerning business logic exists in the Commerce B2B application, which allows storefront visitors to purchase discontinued products in specific scenarios where requests are altered before reaching the server.

Security Summary

CVE-2025-22384 is a business logic vulnerability in Optimizely Configured Commerce versions prior to 5.2.2408, affecting the Commerce B2B application. The flaw enables storefront visitors to purchase discontinued products in specific scenarios by altering requests before they reach the server. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-472 and NVD-CWE-Other.

Unauthenticated attackers with network access can exploit this issue with low attack complexity and no user interaction. By modifying requests en route to the server, they bypass controls on discontinued products, achieving high-impact unauthorized disclosure of confidential information.

Optimizely's security advisory (COM-2024-02) at https://support.optimizely.com/hc/en-us/articles/32694560473741-Configured-Commerce-Security-Advisory-COM-2024-02 provides details on the vulnerability. Mitigation requires upgrading to Configured Commerce 5.2.2408 or later.

Details

CWE(s): CWE-472NVD-CWE-Other

Affected Products

optimizely

configured commerce

≤ 5.2.2408

References

https://support.optimizely.com/hc/en-us/articles/32694560473741-Configured-Commerce-Security-Advisory-COM-2024-02
Vendor Advisory · cve@mitre.org