CVE-2023-38221

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.7-beta1 and earlier Adobe Commerce versions 2.4.6-p2 and earlier Adobe Commerce versions 2.4.5-p4 and earlier Adobe Commerce versions 2.4.4-p5 and earlier

Description The issue is related to the lack of protection against SQL query structure attacks in Adobe Commerce and Magento Open Source. This could allow a remote attacker to execute arbitrary code. The exploitation of this issue does not require user interaction and has high attack complexity, as it requires knowledge of tooling beyond just using the UI. An admin-privilege authenticated attacker could lead to arbitrary code execution.

Recommendations For Adobe Commerce versions 2.4.7-beta1 and earlier, update to a version that includes the fix for this issue. For Adobe Commerce versions 2.4.6-p2 and earlier, update to a version that includes the fix for this issue. For Adobe Commerce versions 2.4.5-p4 and earlier, update to a version that includes the fix for this issue. For Adobe Commerce versions 2.4.4-p5 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to admin-privilege accounts until a patch is available.