CVE-2023-38207: Adobe Commerce XML Injection (aka Blind XPath Injection) Arbitrary file system read
First published: Wed Aug 09 2023(Updated: )
Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation of this issue does not require user interaction.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Adobe Magento Commerce | <2.4.4 | |
| Adobe Magento Commerce | =2.4.4 | |
| Adobe Magento Commerce | =2.4.4-p1 | |
| Adobe Magento Commerce | =2.4.4-p2 | |
| Adobe Magento Commerce | =2.4.4-p3 | |
| Adobe Magento Commerce | =2.4.4-p4 | |
| Adobe Magento Commerce | =2.4.5 | |
| Adobe Magento Commerce | =2.4.5-p1 | |
| Adobe Magento Commerce | =2.4.5-p2 | |
| Adobe Magento Commerce | =2.4.5-p3 | |
| Adobe Magento Commerce | =2.4.6 | |
| Adobe Magento Commerce | =2.4.6-p1 | |
| composer/magento/project-community-edition | <=2.0.2 | |
| composer/magento/community-edition | >=2.4.4-p1<2.4.4-p5 | 2.4.4-p5 |
| composer/magento/community-edition | >=2.4.5-p1<2.4.5-p4 | 2.4.5-p4 |
| composer/magento/community-edition | =2.4.6-p1 | 2.4.6-p2 |
| composer/magento/community-edition | =2.4.4 | |
| composer/magento/community-edition | =2.4.5 | |
| composer/magento/community-edition | =2.4.6 | |
| <2.4.4 | ||
| =2.4.4 | ||
| =2.4.4-p1 | ||
| =2.4.4-p2 | ||
| =2.4.4-p3 | ||
| =2.4.4-p4 | ||
| =2.4.5 | ||
| =2.4.5-p1 | ||
| =2.4.5-p2 | ||
| =2.4.5-p3 | ||
| =2.4.6 | ||
| =2.4.6-p1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Adobe Commerce vulnerability?
The vulnerability ID for this Adobe Commerce vulnerability is CVE-2023-38207.
What is the severity level of CVE-2023-38207?
The severity level of CVE-2023-38207 is high.
What is the affected software version for this vulnerability?
The affected software versions for this vulnerability are Adobe Commerce 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier), and 2.4.4-p4 (and earlier).
What is the impact of this vulnerability?
This vulnerability could lead to a minor arbitrary file system read.
Is user interaction required to exploit this vulnerability?
No, exploitation of this vulnerability does not require user interaction.
- agent/type
- agent/weakness
- agent/description
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rpv2-g4pc-wp72
- alias/CVE-2023-38207
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/severity
- agent/references
- agent/source
- agent/softwarecombine
- agent/tags
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- vendor/adobe
- canonical/adobe magento commerce
- version/adobe magento commerce/2.4.4
- version/adobe magento commerce/2.4.4-p1
- version/adobe magento commerce/2.4.4-p2
- version/adobe magento commerce/2.4.4-p3
- version/adobe magento commerce/2.4.4-p4
- version/adobe magento commerce/2.4.5
- version/adobe magento commerce/2.4.5-p1
- version/adobe magento commerce/2.4.5-p2
- version/adobe magento commerce/2.4.5-p3
- version/adobe magento commerce/2.4.6
- version/adobe magento commerce/2.4.6-p1
- package-manager/composer