CVE-2023-38219

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.7-beta1 through 2.4.4-p5

Description The issue is related to the lack of protection of the web page structure in Magento Open Source and Adobe Commerce, allowing a remote attacker to conduct cross-site scripting attacks. A stored Cross-Site Scripting (XSS) vulnerability could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. The payload is stored in an admin area, resulting in high confidentiality and integrity impact.

Recommendations For Adobe Commerce versions 2.4.7-beta1 through 2.4.4-p5, consider disabling the vulnerable form fields in the admin area until a patch is available. Restrict access to the admin area to minimize the risk of exploitation. Avoid using the vulnerable form fields until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.