CVE-2023-38207

EPSS 0.7%
Published 09.08.2023 08:15:09
Last modified 21.11.2024 08:13:05
Source psirt@adobe.com
Teams watchlist Login
Open Login

Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation of this issue does not require user interaction.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Adobe ≫ Commerce Version < 2.4.4

Adobe ≫ Commerce Version2.4.4 Update-

Adobe ≫ Commerce Version2.4.4 Updatep1

Adobe ≫ Commerce Version2.4.4 Updatep2

Adobe ≫ Commerce Version2.4.4 Updatep3

Adobe ≫ Commerce Version2.4.4 Updatep4

Adobe ≫ Commerce Version2.4.5 Update-

Adobe ≫ Commerce Version2.4.5 Updatep1

Adobe ≫ Commerce Version2.4.5 Updatep2

Adobe ≫ Commerce Version2.4.5 Updatep3

Adobe ≫ Commerce Version2.4.6 Update-

Adobe ≫ Commerce Version2.4.6 Updatep1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.7%	0.707

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
psirt@adobe.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

https://helpx.adobe.com/security/products/magento/apsb23-42.html

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-38207

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-38207

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-38207

EUVD