Adobe Security Bulletin

Search

Security update available for Adobe Commerce | APSB23-17

Bulletin ID

Date Published

Priority

APSB23-17

March 14, 2023

3

Summary

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical, important and moderate vulnerabilities.  Successful exploitation could lead to arbitrary code execution, security feature bypass and arbitrary file system read.

Affected Versions

Product Version Platform
 Adobe Commerce
 2.4.4-p2 and earlier versions 
 All
2.4.5-p1 and earlier version
 All
Magento Open Source 2.4.4-p2 and earlier versions
 All
2.4.5-p1 and earlier version 
 All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

 

Product Updated Version Platform Priority Rating Installation Instructions
Adobe Commerce
 2.4.6, 2.4.5-p2, 2.4.4-p3
 All
 3 2.4.x release notes
Magento Open Source 
 2.4.6, 2.4.5-p2, 2.4.4-p3
 All
 3

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity Authentication required to exploit? Exploit requires admin privileges?
 CVSS base score
 CVSS vector
 CVE number(s)
XML Injection (aka Blind XPath Injection) (CWE-91)
 Arbitrary file system read
 Critical No No 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
 CVE-2023-22247
Cross-site Scripting (Stored XSS) (CWE-79)
 Arbitrary code execution
 Important Yes Yes 4.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
 CVE-2023-22249
Improper Access Control (CWE-284)
 Security feature bypass
 Important No No 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
 CVE-2023-22250
Improper Authorization (CWE-285)
 Security feature bypass
 Moderate No No 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
 CVE-2023-22251

 

Note:

Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.


Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.

Acknowledgements

Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:

  • Ricardo Iramar dos Santos -- CVE-2023-22247
  • linoskoczek (linoskoczek) -- CVE-2023-22249
  • wash0ut (wash0ut) -- CVE-2023-22250
  • Theis Corfixen (corfixen) -- CVE-2023-22251

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

 Adobe

Get help faster and easier

New user?

Quick links

View all your plans Manage your plans
View quick links
Hide quick links