CVE-2024-39322: 
PHP vulnerability analysis and mitigation

CVE-2024-39322 affects the Aimeos e-commerce JSON API (ai-admin-jsonadm) for administrative tasks. The vulnerability was discovered in versions prior to 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2, where improper access control allows editors to remove admin group and locale configuration in the Aimeos backend (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H. The vulnerability stems from incorrect authorization (CWE-863) that allows editors to modify privileged configurations that should be restricted to super users only (NVD).

The vulnerability allows editors to remove admin group and locale configuration in the Aimeos backend, potentially disrupting system administration and locale settings. This can lead to low integrity impact but high availability impact on the affected systems (GitHub Advisory).

The vulnerability has been fixed in versions 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2. Users should upgrade to these patched versions to mitigate the vulnerability. The fix restricts locale currency/language/site modifications to super users only (GitHub Commits).