Magento Community-Edition vulnerabilities

CVE-2023-26367 [MEDIUM] CWE-20 Magento Open Source has Improper Input Validation Vulnerability Magento Open Source has Improper Input Validation Vulnerability Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction.

CVE-2023-38251 [MEDIUM] CWE-400 Magento Open Source allows Uncontrolled Resource Consumption Magento Open Source allows Uncontrolled Resource Consumption Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Uncontrolled Resource Consumption vulnerability that could lead into a minor application denial-of-service. Exploitation of this issue does not require user interaction.

CVE-2023-38218 [MEDIUM] CWE-20 Magento Open Source allows Incorrect Authorization Magento Open Source allows Incorrect Authorization Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.

CVE-2023-38249 [MEDIUM] CWE-89 Magento Open Source allows SQL Injection Magento Open Source allows SQL Injection Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user inte

CVE-2023-38221 [MEDIUM] CWE-89 Magento Open Source allows SQL Injection Magento Open Source allows SQL Injection Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user inte

CVE-2023-38220 [MEDIUM] CWE-285 Magento Open Source allows Improper Authorization Magento Open Source allows Improper Authorization Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Authorization vulnerability that could lead in a security feature bypass in a way that an attacker could access unauthorised data. Exploitation of this issue does not require user interaction.

CVE-2023-26366 [MEDIUM] CWE-918 Magento Open Source allows Server-Side Request Forgery (SSRF) Magento Open Source allows Server-Side Request Forgery (SSRF) Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privileged authenticated attacker can force the application to make arbitrary requests via inject

CVE-2023-38250 [MEDIUM] CWE-89 Magento Open Source allows SQL Injection Magento Open Source allows SQL Injection Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user inte

CVE-2023-38219 [LOW] CWE-79 Magento Open Source allows Cross-Site Scripting (XSS) Magento Open Source allows Cross-Site Scripting (XSS) Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when t

CVE-2022-24093 [MEDIUM] CWE-20 Magento Open Source affected by Improper Input Validation Magento Open Source affected by Improper Input Validation Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.

CVE-2021-36023 [CRITICAL] CWE-78 Magento XML Injection vulnerability in the Widgets Update Layout Magento XML Injection vulnerability in the Widgets Update Layout Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.

CVE-2021-36021 [CRITICAL] CWE-20 Magento affected by remote code execution vulnerability in the CMS page scheduled update feature Magento affected by remote code execution vulnerability in the CMS page scheduled update feature Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper input validation vulnerability within the CMS page scheduled update feature. An authenticated attacker with administrative privilege could leverage this vulner

CVE-2021-36036 [CRITICAL] CWE-284 Magento improper access control vulnerability within Magento's Media Gallery Upload workflow Magento improper access control vulnerability within Magento's Media Gallery Upload workflow Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker wit

CVE-2023-38208 [HIGH] CWE-78 Magento Open Source allows Improper Neutralization of Special Elements Used Magento Open Source allows Improper Neutralization of Special Elements Used Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploi

CVE-2023-38209 [MEDIUM] CWE-863 Magento Open Source allows Incorrect Authorization Magento Open Source allows Incorrect Authorization Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Incorrect Authorization vulnerability that could lead to a Security feature bypass. A low-privileged attacker could leverage this vulnerability to access other user's data. Exploitation of this issue does not require user interaction.

CVE-2023-38207 [LOW] CWE-91 Magento Open Source allows XML Injection Magento Open Source allows XML Injection Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation of this issue does not require user interaction.

CVE-2023-22249 [LOW] CWE-79 Magento Open Source allows Cross-Site Scripting (XSS) Magento Open Source allows Cross-Site Scripting (XSS) Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable f

CVE-2023-29297 [HIGH] CWE-1336 Magento Open Source allows Improper Neutralization of Special Elements Used Magento Open Source allows Improper Neutralization of Special Elements Used Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Improper Neutralization of Special Elements Used in a Template Engine vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue do

CVE-2023-29287 [MEDIUM] CWE-200 Magento Open Source allows Information Exposure Magento Open Source allows Information Exposure Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Information Exposure vulnerability that could lead to a security feature bypass. An attacker could leverage this vulnerability to leak minor user data. Exploitation of this issue does not require user interaction..

CVE-2023-29290 [MEDIUM] CWE-353 Magento Open Source allows Incorrect Authorization Magento Open Source allows Incorrect Authorization Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction.