CVE-2025-22385

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-22385
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This could affect database storage; also, non-requested storefront accounts can be created on behalf of visitors.

5.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://support.optimizely.com/hc/en-us/articles/32695419706637-Configured-Commerce-Security-Advisory-COM-2024-05 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:optimizely:configured_commerce:*:*:*:*:*:*:*:*
History

20 May 2025, 20:12

Type Values Removed Values Added
References () https://support.optimizely.com/hc/en-us/articles/32695419706637-Configured-Commerce-Security-Advisory-COM-2024-05 - () https://support.optimizely.com/hc/en-us/articles/32695419706637-Configured-Commerce-Security-Advisory-COM-2024-05 - Vendor Advisory
First Time Optimizely configured Commerce
Optimizely
CPE cpe:2.3:a:optimizely:configured_commerce:*:*:*:*:*:*:*:*
Summary
  • (es) Se descubrió un problema en Optimizely Configured Commerce antes de la versión 5.2.2408. En el caso de las cuentas recién creadas, la aplicación Commerce B2B no requiere confirmación por correo electrónico. Este problema de gravedad media permite la creación masiva de cuentas. Esto podría afectar el almacenamiento de la base de datos; además, se pueden crear cuentas de tienda no solicitadas en nombre de los visitantes.

06 Jan 2025, 16:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.9

04 Jan 2025, 02:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-04 02:15

Updated : 2025-05-20 20:12

NVD link : CVE-2025-22385

Mitre link : CVE-2025-22385

CVE.ORG link : CVE-2025-22385

JSON object : View

Products Affected

optimizely

  • configured_commerce
CWE
CWE-862

Missing Authorization