CVE-2023-26366

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.7-beta1 and earlier Adobe Commerce versions 2.4.6-p2 and earlier Adobe Commerce versions 2.4.5-p4 and earlier Adobe Commerce versions 2.4.4-p5 and earlier

Description The issue is related to a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privileged authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction, and the scope is changed due to the fact that an attacker can enforce file read outside the application's path boundary. The vulnerability is associated with insufficient checking of incoming requests.

Recommendations For Adobe Commerce versions 2.4.7-beta1 and earlier, update to a version that includes the fix for this issue. For Adobe Commerce versions 2.4.6-p2 and earlier, update to a version that includes the fix for this issue. For Adobe Commerce versions 2.4.5-p4 and earlier, update to a version that includes the fix for this issue. For Adobe Commerce versions 2.4.4-p5 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the application to minimize the risk of exploitation.