CVE-2023-29289

Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an XML Injection vulnerability. An attacker with low privileges can trigger a specially crafted script to a security feature bypass. Exploitation of this issue does not require user interaction.

Published: Jun 15, 2023
Updated: Jun 16, 2023
CVE: CVE-2023-29289
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWEs:

CWE-91

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
adobe / commerce	2.3.7-p1	2.3.7-p1.x
adobe / commerce	2.4.3	2.4.3.x
adobe / commerce	2.3.7-p2	2.3.7-p2.x
adobe / commerce	2.4.4	2.4.4.x
adobe / commerce	2.3.7	2.3.7.x
adobe / commerce	2.3.7-p3	2.3.7-p3.x
adobe / commerce	2.4.5	2.4.5.x
adobe / commerce	2.4.4-p1	2.4.4-p1.x
adobe / commerce	2.4.5-p1	2.4.5-p1.x
adobe / commerce	2.4.4-p2	2.4.4-p2.x
adobe / commerce	2.4.5-p2	2.4.5-p2.x
adobe / commerce	2.4.4-p3	2.4.4-p3.x
adobe / commerce	2.4.6	2.4.6.x
adobe / magento	2.4.4	2.4.4.x
adobe / magento	2.4.4-p1	2.4.4-p1.x
adobe / magento	2.4.4-p2	2.4.4-p2.x
adobe / magento	2.4.4-p3	2.4.4-p3.x
adobe / magento	2.4.5	2.4.5.x
adobe / magento	2.4.5-p1	2.4.5-p1.x
adobe / magento	2.4.5-p2	2.4.5-p2.x
adobe / magento	2.4.6	2.4.6.x
adobe / commerce	2.3.7-p4-ext2	2.3.7-p4-ext2.x
adobe / commerce	2.3.7-p4-ext1	2.3.7-p4-ext1.x
adobe / commerce	2.3.7-p4	2.3.7-p4.x
adobe / commerce	2.4.0	2.4.0.x
adobe / commerce	2.4.0-ext-1	2.4.0-ext-1.x
adobe / commerce	2.4.0-ext-2	2.4.0-ext-2.x
adobe / commerce	2.4.1	2.4.1.x
adobe / commerce	2.4.1-ext-1	2.4.1-ext-1.x
adobe / commerce	2.4.1-ext-2	2.4.1-ext-2.x
adobe / commerce	2.4.2	2.4.2.x
adobe / commerce	2.4.2-ext-1	2.4.2-ext-1.x
adobe / commerce	2.4.2-ext-2	2.4.2-ext-2.x
adobe / commerce	2.4.3-ext-2	2.4.3-ext-2.x
adobe / commerce	2.4.3-ext-1	2.4.3-ext-1.x

https://helpx.adobe.com/security/products/magento/apsb23-35.html

Vulnerability Database

289,784

CVE-2023-29289