CVE-2025-22384

An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue concerning business logic exists in the Commerce B2B application, which allows storefront visitors to purchase discontinued products in specific scenarios where requests are altered before reaching the server.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://support.optimizely.com/hc/en-us/articles/32694560473741-Configured-Commerce-Security-Advisory-COM-2024-02	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:optimizely:configured_commerce:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-01-04 02:15

Updated : 2025-05-20 20:27

NVD link : CVE-2025-22384

Mitre link : CVE-2025-22384

CVE.ORG link : CVE-2025-22384

JSON object : View

Products Affected

optimizely

configured_commerce

CWE

CWE-472

External Control of Assumed-Immutable Web Parameter

NVD-CWE-Other

7.5 /10