CVE-2023-38250 — SQL Injection in Adobe Commerce

CWE-89 — SQL Injection4 documents4 sources

Severity

6.6MEDIUMNVD

CNA8.0

EPSS

1.7%

top 17.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Community-edition Adobe Commerce Magento Project-community-edition +2 more

Timeline

PublishedOct 13

Description

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.7 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5adobe/adobe_commerce2.4.7-beta1

▶NVDadobe/commerce9 versions+8

▶NVDadobe/magento4 versions+3

▶Packagistmagento/community-edition2.4.7-beta1 — 2.4.7-beta2+3

▶Packagistmagento/project-community-edition2.0.2

🔴Vulnerability Details

OSV

Magento Open Source allows SQL Injection↗2023-10-13

▶

GHSA

Magento Open Source allows SQL Injection↗2023-10-13

▶

CVEList

Adobe Commerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)↗2023-10-13

▶