CVE-2023-38219Cross-site Scripting in Adobe Commerce

CWE-79Cross-site Scripting4 documents4 sources
Severity
8.7HIGHNVD
EPSS
1.5%
top 18.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Magento Community-editionAdobe CommerceMagento Project-community-edition+2 more
Timeline
PublishedOct 13

Description

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Payload is stored in an admin area, resulting in high confidentiality and integri

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:NExploitability: 2.3 | Impact: 5.8

Affected Packages5 packages

CVEListV5adobe/adobe_commerce2.4.7-beta1
NVDadobe/commerce9 versions+8
NVDadobe/magento4 versions+3
Packagistmagento/community-edition2.4.7-beta12.4.7-beta2+3

🔴Vulnerability Details

3
GHSA
Magento Open Source allows Cross-Site Scripting (XSS)2023-10-13
OSV
Magento Open Source allows Cross-Site Scripting (XSS)2023-10-13
CVEList
Validate Your Inputs | Cross-site Scripting (Stored XSS) (CWE-79) - Customer to Admin stored XSS with Gift wrapping2023-10-13
CVE-2023-38219 — Cross-site Scripting in Adobe Commerce | cvebase