Headline
CVE-2023-22247: Adobe Security Bulletin
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.
Security update available for Adobe Commerce | APSB23-17
Bulletin ID
Date Published
Priority
APSB23-17
March 14, 2023
3
Summary
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, security feature bypass and arbitrary file system read.
Affected Versions
Product
Version
Platform
Adobe Commerce
2.4.4-p2 and earlier versions
All
2.4.5-p1 and earlier version
All
Magento Open Source
2.4.4-p2 and earlier versions
All
2.4.5-p1 and earlier version
All
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product
Updated Version
Platform
Priority Rating
Installation Instructions
Adobe Commerce
2.4.6, 2.4.5-p2, 2.4.4-p3
All
3
2.4.x release notes
Magento Open Source
2.4.6, 2.4.5-p2, 2.4.4-p3
All
3
Vulnerability Details
Vulnerability Category
Vulnerability Impact
Severity
Authentication required to exploit?
Exploit requires admin privileges?
CVSS base score
CVSS vector
CVE number(s)
XML Injection (aka Blind XPath Injection) (CWE-91)
Arbitrary file system read
Critical
No
No
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2023-22247
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Important
Yes
Yes
4.8
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVE-2023-22249
Improper Access Control (CWE-284)
Security feature bypass
Important
No
No
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2023-22250
Improper Authorization (CWE-285)
Security feature bypass
Moderate
No
No
3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2023-22251
Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.
Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.
Acknowledgements
Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:
- Ricardo Iramar dos Santos – CVE-2023-22247
- linoskoczek (linoskoczek) – CVE-2023-22249
- wash0ut (wash0ut) – CVE-2023-22250
- Theis Corfixen (corfixen) – CVE-2023-22251
For more information, visit https://helpx.adobe.com/security.html, or email [email protected].