Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2023-AVI-0455
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Adobe Commerce et Magento. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Adobe | Commerce | Adobe Commerce versions 2.4.2-x antérieures à 2.4.2-ext-3 | ||
| Adobe | Magento | Magento Open Source versions 2.4.6-x antérieures à 2.4.6-p1 | ||
| Adobe | Commerce | Adobe Commerce versions 2.4.3-x antérieures à 2.4.3-ext-3 | ||
| Adobe | Magento | Magento Open Source versions antérieures à 2.4.4-p4 | ||
| Adobe | Commerce | Adobe Commerce versions 2.4.6-x antérieures à 2.4.6-p1 | ||
| Adobe | Magento | Magento Open Source versions 2.4.5-x antérieures à 2.4.5-p3 | ||
| Adobe | Commerce | Adobe Commerce versions 2.4.5-x antérieures à 2.4.5-p3 | ||
| Adobe | Commerce | Adobe Commerce versions 2.4.1-x antérieures à 2.4.1-ext-3 | ||
| Adobe | Commerce | Adobe Commerce versions 2.4.4-x antérieures à 2.4.4-p4 | ||
| Adobe | Commerce | Adobe Commerce versions 2.4.0-x antérieures à 2.4.0-ext-3 | ||
| Adobe | Commerce | Adobe Commerce versions antérieures à 2.3.7-p4-ext-3 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Adobe Commerce versions 2.4.2-x ant\u00e9rieures \u00e0 2.4.2-ext-3",
"product": {
"name": "Commerce",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "Magento Open Source versions 2.4.6-x ant\u00e9rieures \u00e0 2.4.6-p1",
"product": {
"name": "Magento",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "Adobe Commerce versions 2.4.3-x ant\u00e9rieures \u00e0 2.4.3-ext-3",
"product": {
"name": "Commerce",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "Magento Open Source versions ant\u00e9rieures \u00e0 2.4.4-p4",
"product": {
"name": "Magento",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "Adobe Commerce versions 2.4.6-x ant\u00e9rieures \u00e0 2.4.6-p1",
"product": {
"name": "Commerce",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "Magento Open Source versions 2.4.5-x ant\u00e9rieures \u00e0 2.4.5-p3",
"product": {
"name": "Magento",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "Adobe Commerce versions 2.4.5-x ant\u00e9rieures \u00e0 2.4.5-p3",
"product": {
"name": "Commerce",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "Adobe Commerce versions 2.4.1-x ant\u00e9rieures \u00e0 2.4.1-ext-3",
"product": {
"name": "Commerce",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "Adobe Commerce versions 2.4.4-x ant\u00e9rieures \u00e0 2.4.4-p4",
"product": {
"name": "Commerce",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "Adobe Commerce versions 2.4.0-x ant\u00e9rieures \u00e0 2.4.0-ext-3",
"product": {
"name": "Commerce",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "Adobe Commerce versions ant\u00e9rieures \u00e0 2.3.7-p4-ext-3",
"product": {
"name": "Commerce",
"vendor": {
"name": "Adobe",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-29294",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29294"
},
{
"name": "CVE-2023-29291",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29291"
},
{
"name": "CVE-2023-29293",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29293"
},
{
"name": "CVE-2023-29289",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29289"
},
{
"name": "CVE-2023-29297",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29297"
},
{
"name": "CVE-2023-29295",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29295"
},
{
"name": "CVE-2023-29287",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29287"
},
{
"name": "CVE-2023-29296",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29296"
},
{
"name": "CVE-2023-29288",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29288"
},
{
"name": "CVE-2023-29290",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29290"
},
{
"name": "CVE-2023-29292",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29292"
},
{
"name": "CVE-2023-22248",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22248"
}
],
"initial_release_date": "2023-06-14T00:00:00",
"last_revision_date": "2023-06-14T00:00:00",
"links": [],
"reference": "CERTFR-2023-AVI-0455",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-06-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Adobe Commerce et\nMagento. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance, un contournement de la politique de s\u00e9curit\u00e9\net une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Adobe Commerce et Magento",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Adobe apsb23-35 du 13 juin 2023",
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
]
}
CVE-2023-29291 (GCVE-0-2023-29291)
Vulnerability from cvelistv5
Published
2023-06-15 00:00
Modified
2025-03-05 18:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF) ()
Summary
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:44.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:36:20.432569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:56:53.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.5-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF) (CWE-918)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Server Side Request Forgery (SSRF) in USPS carrier integration configuration"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-29291",
"datePublished": "2023-06-15T00:00:00.000Z",
"dateReserved": "2023-04-04T00:00:00.000Z",
"dateUpdated": "2025-03-05T18:56:53.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29292 (GCVE-0-2023-29292)
Vulnerability from cvelistv5
Published
2023-06-15 00:00
Modified
2025-03-05 18:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF) ()
Summary
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:44.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29292",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:36:16.848558Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:56:48.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.5-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF) (CWE-918)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Server Side Request Forgery (SSRF) in FedEx carrier integration configuration"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-29292",
"datePublished": "2023-06-15T00:00:00.000Z",
"dateReserved": "2023-04-04T00:00:00.000Z",
"dateUpdated": "2025-03-05T18:56:48.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29297 (GCVE-0-2023-29297)
Vulnerability from cvelistv5
Published
2023-06-15 00:00
Modified
2025-03-05 18:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine()
Summary
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Improper Neutralization of Special Elements Used in a Template Engine vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:44.391Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29297",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:37:01.455961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:56:15.812Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.5-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Improper Neutralization of Special Elements Used in a Template Engine vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "Improper Neutralization of Special Elements Used in a Template Engine(CWE-1336)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Admin-to-admin stored XSS via cache poisoning"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-29297",
"datePublished": "2023-06-15T00:00:00.000Z",
"dateReserved": "2023-04-04T00:00:00.000Z",
"dateUpdated": "2025-03-05T18:56:15.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22248 (GCVE-0-2023-22248)
Vulnerability from cvelistv5
Published
2023-06-15 00:00
Modified
2025-03-05 18:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization ()
Summary
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to leak another user's data. Exploitation of this issue does not require user interaction.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:05.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22248",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:39:10.252478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:57:27.062Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.5-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to leak another user\u0027s data. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce Incorrect Authorization Security feature bypass"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-22248",
"datePublished": "2023-06-15T00:00:00.000Z",
"dateReserved": "2022-12-19T00:00:00.000Z",
"dateUpdated": "2025-03-05T18:57:27.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29294 (GCVE-0-2023-29294)
Vulnerability from cvelistv5
Published
2023-06-15 00:00
Modified
2025-03-05 18:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-840 - Business Logic Errors ()
Summary
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Business Logic Errors vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:44.339Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29294",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:36:09.536472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:56:35.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.5-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Business Logic Errors vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-840",
"description": "Business Logic Errors (CWE-840)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Bypass Purchase Order Approval using Company User in Adobe Commerce B2B"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-29294",
"datePublished": "2023-06-15T00:00:00.000Z",
"dateReserved": "2023-04-04T00:00:00.000Z",
"dateUpdated": "2025-03-05T18:56:35.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29287 (GCVE-0-2023-29287)
Vulnerability from cvelistv5
Published
2023-06-15 00:00
Modified
2025-03-05 18:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Information Exposure ()
Summary
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Information Exposure vulnerability that could lead to a security feature bypass. An attacker could leverage this vulnerability to leak minor user data. Exploitation of this issue does not require user interaction..
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:16.206Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29287",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:39:07.048614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:57:21.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.5-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Information Exposure vulnerability that could lead to a security feature bypass. An attacker could leverage this vulnerability to leak minor user data. Exploitation of this issue does not require user interaction.."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Exposure (CWE-200)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce Information Exposure Security feature bypass"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-29287",
"datePublished": "2023-06-15T00:00:00.000Z",
"dateReserved": "2023-04-04T00:00:00.000Z",
"dateUpdated": "2025-03-05T18:57:21.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29295 (GCVE-0-2023-29295)
Vulnerability from cvelistv5
Published
2023-06-15 00:00
Modified
2025-03-05 18:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization ()
Summary
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:45.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29295",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:36:06.485183Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:56:28.900Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.5-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insecure Direct Object Reference (IDOR) in Create Quote Function"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-29295",
"datePublished": "2023-06-15T00:00:00.000Z",
"dateReserved": "2023-04-04T00:00:00.000Z",
"dateUpdated": "2025-03-05T18:56:28.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29289 (GCVE-0-2023-29289)
Vulnerability from cvelistv5
Published
2023-06-15 00:00
Modified
2025-03-05 18:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection) ()
Summary
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an XML Injection vulnerability. An attacker with low privileges can trigger a specially crafted script to a security feature bypass. Exploitation of this issue does not require user interaction.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:16.125Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:36:23.914820Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:57:07.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.5-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an XML Injection vulnerability. An attacker with low privileges can trigger a specially crafted script to a security feature bypass. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "XML Injection (aka Blind XPath Injection) (CWE-91)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce XML Injection Security feature bypass"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-29289",
"datePublished": "2023-06-15T00:00:00.000Z",
"dateReserved": "2023-04-04T00:00:00.000Z",
"dateUpdated": "2025-03-05T18:57:07.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29288 (GCVE-0-2023-29288)
Vulnerability from cvelistv5
Published
2023-06-15 00:00
Modified
2025-03-05 18:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization ()
Summary
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user interaction.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Adobe Commerce |
Version: 0 ≤ 2.4.4-p3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:15.992Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29288",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:36:27.663731Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:57:14.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.4-p3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2023-06-13T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor functionality of another user\u0027s data. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 4.3,
"environmentalSeverity": "MEDIUM",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "NONE",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "UNCHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "LOW",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 4.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T11:11:32.577Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce | Incorrect Authorization (CWE-863)"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-29288",
"datePublished": "2023-06-15T00:00:00.000Z",
"dateReserved": "2023-04-04T00:00:00.000Z",
"dateUpdated": "2025-03-05T18:57:14.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29293 (GCVE-0-2023-29293)
Vulnerability from cvelistv5
Published
2023-06-15 00:00
Modified
2025-03-05 18:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation ()
Summary
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An admin privileged attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Adobe Commerce |
Version: 0 ≤ 2.4.4-p3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:45.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29293",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:36:13.056473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:56:42.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Adobe Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.4-p3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2023-06-13T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An admin privileged attacker could leverage this vulnerability to impact the availability of a user\u0027s minor feature. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 2.7,
"environmentalSeverity": "LOW",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "NONE",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "LOW",
"modifiedConfidentialityImpact": "NONE",
"modifiedIntegrityImpact": "NONE",
"modifiedPrivilegesRequired": "HIGH",
"modifiedScope": "UNCHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "HIGH",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 2.7,
"temporalSeverity": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T11:11:39.524Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce | Improper Input Validation (CWE-20)"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-29293",
"datePublished": "2023-06-15T00:00:00.000Z",
"dateReserved": "2023-04-04T00:00:00.000Z",
"dateUpdated": "2025-03-05T18:56:42.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29290 (GCVE-0-2023-29290)
Vulnerability from cvelistv5
Published
2023-06-15 00:00
Modified
2025-03-05 18:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-353 - Missing Support for Integrity Check ()
Summary
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:45.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:39:03.327161Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:56:59.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.5-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-353",
"description": "Missing Support for Integrity Check (CWE-353)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce Guest Cart Shipping Address Overwrite IDOR "
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-29290",
"datePublished": "2023-06-15T00:00:00.000Z",
"dateReserved": "2023-04-04T00:00:00.000Z",
"dateUpdated": "2025-03-05T18:56:59.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29296 (GCVE-0-2023-29296)
Vulnerability from cvelistv5
Published
2023-06-15 00:00
Modified
2025-03-05 18:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization ()
Summary
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user interaction.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Version: unspecified < Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:44.360Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29296",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:36:03.689164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:56:22.539Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.5-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.5-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to modify a minor functionality of another user\u0027s data. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "[Cloud] Customer suspects IDOR vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-29296",
"datePublished": "2023-06-15T00:00:00.000Z",
"dateReserved": "2023-04-04T00:00:00.000Z",
"dateUpdated": "2025-03-05T18:56:22.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…