CVE-2025-22385

An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This could affect database storage; also, non-requested storefront accounts can be created on behalf of visitors.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://support.optimizely.com/hc/en-us/articles/32695419706637-Configured-Commerce-Security-Advisory-COM-2024-05	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:optimizely:configured_commerce:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-01-04 02:15

Updated : 2025-05-20 20:12

NVD link : CVE-2025-22385

Mitre link : CVE-2025-22385

CVE.ORG link : CVE-2025-22385

JSON object : View

Products Affected

optimizely

configured_commerce

CWE

CWE-862

Missing Authorization

{"id": "CVE-2025-22385", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2025-01-04T02:15:07.080", "references": [{"url": "https://support.optimizely.com/hc/en-us/articles/32695419706637-Configured-Commerce-Security-Advisory-COM-2024-05", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This could affect database storage; also, non-requested storefront accounts can be created on behalf of visitors."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Optimizely Configured Commerce antes de la versi\u00f3n 5.2.2408. En el caso de las cuentas reci\u00e9n creadas, la aplicaci\u00f3n Commerce B2B no requiere confirmaci\u00f3n por correo electr\u00f3nico. Este problema de gravedad media permite la creaci\u00f3n masiva de cuentas. Esto podr\u00eda afectar el almacenamiento de la base de datos; adem\u00e1s, se pueden crear cuentas de tienda no solicitadas en nombre de los visitantes."}], "lastModified": "2025-05-20T20:12:36.173", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:optimizely:configured_commerce:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3E3EA39C-BADA-4649-BF50-7E095C90C125", "versionEndExcluding": "5.2.2408"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}