CVE-2023-38218

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.7-beta1 and earlier Adobe Commerce versions 2.4.6-p2 and earlier Adobe Commerce versions 2.4.5-p4 and earlier Adobe Commerce versions 2.4.4-p5 and earlier

Description The issue is related to an improper input validation vulnerability and incorrect authorization. An authenticated attacker can exploit this to achieve information exposure and privilege escalation by triggering an insecure direct object reference in the V1/customers/me endpoint. The vulnerability is associated with insufficient input validation, allowing a remote attacker to elevate their privileges.

Recommendations For Adobe Commerce versions 2.4.7-beta1 and earlier, update to a version that includes the fix for this issue. For Adobe Commerce versions 2.4.6-p2 and earlier, update to a version that includes the fix for this issue. For Adobe Commerce versions 2.4.5-p4 and earlier, update to a version that includes the fix for this issue. For Adobe Commerce versions 2.4.4-p5 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the V1/customers/me endpoint to minimize the risk of exploitation.