CVE-2023-22247

CVE Database · CVE-2023-22247

CVE-2023-22247

· HIGHModified

CVSS v3.1

7.5

EPSS

0.93%

Published

Mar 27, 2023

Modified

Nov 21, 2024

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-91

Affected Products (12)

adobe · commerce (up to 2.4.4)vulnerable

adobe · commercevulnerable

adobe · magento_open_source (up to 2.4.4)vulnerable

adobe · magento_open_sourcevulnerable

References (2)

https://helpx.adobe.com/security/products/magento/apsb23-17.html

Release NotesVendor Advisory

https://helpx.adobe.com/security/products/magento/apsb23-17.html

Release NotesVendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs