CVE-2023-26366Server-Side Request Forgery in Adobe Commerce

CWE-918Server-Side Request Forgery4 documents4 sources
Severity
6.8MEDIUMNVD
EPSS
0.3%
top 44.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Magento Community-editionAdobe CommerceMagento Project-community-edition+2 more
Timeline
PublishedOct 13

Description

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privileged authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction, scope is changed due to the fact that an attacker can enforce file read

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:NExploitability: 2.3 | Impact: 4.0

Affected Packages5 packages

CVEListV5adobe/adobe_commerce2.4.7-beta1
NVDadobe/commerce9 versions+8
NVDadobe/magento4 versions+3
Packagistmagento/community-edition2.4.7-beta12.4.7-beta2+3

🔴Vulnerability Details

3
OSV
Magento Open Source allows Server-Side Request Forgery (SSRF)2023-10-13
CVEList
Validate Your Inputs | Server-Side Request Forgery (SSRF) (CWE-918)2023-10-13
GHSA
Magento Open Source allows Server-Side Request Forgery (SSRF)2023-10-13
CVE-2023-26366 — Server-Side Request Forgery in Adobe | cvebase