CVE-2023-38249

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.7-beta1 and earlier Adobe Commerce versions 2.4.6-p2 and earlier Adobe Commerce versions 2.4.5-p4 and earlier Adobe Commerce versions 2.4.4-p5 and earlier

Description The issue is related to an Improper Neutralization of Special Elements used in an SQL Command, also known as a SQL Injection vulnerability. This could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI.

Recommendations For Adobe Commerce versions 2.4.7-beta1 and earlier, update to a version that is not affected by this issue. For Adobe Commerce versions 2.4.6-p2 and earlier, update to a version that is not affected by this issue. For Adobe Commerce versions 2.4.5-p4 and earlier, update to a version that is not affected by this issue. For Adobe Commerce versions 2.4.4-p5 and earlier, update to a version that is not affected by this issue. As a temporary workaround, consider restricting access to SQL commands to minimize the risk of exploitation.