PT-2023-5322 · Adobe · Commerce
Published
2023-08-08
·
Updated
2023-09-14
·
CVE-2023-38207
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Adobe Commerce versions 2.4.6-p1 and earlier
Adobe Commerce versions 2.4.5-p3 and earlier
Adobe Commerce versions 2.4.4-p4 and earlier
Description
The issue is related to errors in processing XML requests, which could allow a remote attacker to disclose protected information by transmitting specially crafted XML data. Exploitation of this issue does not require user interaction. It is a XML Injection vulnerability, also known as Blind XPath Injection, that could lead to minor arbitrary file system read.
Recommendations
For Adobe Commerce versions 2.4.6-p1 and earlier, update to a version that fixes the XML Injection vulnerability.
For Adobe Commerce versions 2.4.5-p3 and earlier, update to a version that fixes the XML Injection vulnerability.
For Adobe Commerce versions 2.4.4-p4 and earlier, update to a version that fixes the XML Injection vulnerability.
As a temporary workaround, consider restricting the processing of XML requests to minimize the risk of exploitation.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Commerce