CVSS: 5.3EPSS: 0%CPEs: 58EXPL: 0CVE-2023-38251 – Adobe Commerce | Uncontrolled Resource Consumption (CWE-400)
https://notcve.org/view.php?id=CVE-2023-38251
13 Oct 2023 — Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Uncontrolled Resource Consumption vulnerability that could lead in minor application denial-of-service. Exploitation of this issue does not require user interaction. Las versiones de Adobe Commerce 2.4.7-beta1 (y anteriores), 2.4.6-p2 (y anteriores), 2.4.5-p4 (y anteriores) y 2.4.4-p5 (y anteriores) se ven afectadas por una vulnerabilidad de Consumo de Recursos Incon... • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.7EPSS: 1%CPEs: 58EXPL: 0CVE-2023-38219 – Validate Your Inputs | Cross-site Scripting (Stored XSS) (CWE-79) - Customer to Admin stored XSS with Gift wrapping
https://notcve.org/view.php?id=CVE-2023-38219
13 Oct 2023 — Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Payload is stored in an admin area, resulting in high confidentiality and integrity impact. L... • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 58EXPL: 0CVE-2023-38220 – Full page cache enumeration via cookie X-Magento-Vary
https://notcve.org/view.php?id=CVE-2023-38220
13 Oct 2023 — Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Authorization vulnerability that could lead in a security feature bypass in a way that an attacker could access unauthorised data. Exploitation of this issue does not require user interaction. Las versiones de Adobe Commerce 2.4.7-beta1 (y anteriores), 2.4.6-p2 (y anteriores), 2.4.5-p4 (y anteriores) y 2.4.4-p5 (y anteriores) se ven afectadas por una vulner... • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-285: Improper Authorization •
CVSS: 6.1EPSS: 1%CPEs: 58EXPL: 0CVE-2023-26367 – Error based file extraction via PHP filter chains during product bulk import logic
https://notcve.org/view.php?id=CVE-2023-26367
13 Oct 2023 — Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction. Las versiones de Adobe Commerce 2.4.7-beta1 (y anteriores), 2.4.6-p2 (y anteriores), 2.4.5-p4 (y anteriores) y 2.4.4-p5 (y anteriores) se ven afectadas por una vulnerabilidad... • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 58EXPL: 0CVE-2023-26366 – Validate Your Inputs | Server-Side Request Forgery (SSRF) (CWE-918)
https://notcve.org/view.php?id=CVE-2023-26366
13 Oct 2023 — Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privileged authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction, scope is changed due to the fact that an attacker can enforce file read outside the ... • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.0EPSS: 0%CPEs: 58EXPL: 0CVE-2023-38218 – Incorrect Authorization - Customer account takeover
https://notcve.org/view.php?id=CVE-2023-38218
13 Oct 2023 — Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Incorrect Authorization . An authenticated attacker can exploit this to achieve information exposure and privilege escalation. Las versiones de Adobe Commerce 2.4.7-beta1 (y anteriores), 2.4.6-p2 (y anteriores), 2.4.5-p4 (y anteriores) y 2.4.4-p5 (y anteriores) se ven afectadas por una Autorización Incorrecta. Un atacante autenticado puede aprovechar esto para logra... • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-863: Incorrect Authorization •
CVSS: 8.0EPSS: 6%CPEs: 58EXPL: 0CVE-2023-38250 – Adobe Commerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
https://notcve.org/view.php?id=CVE-2023-38250
13 Oct 2023 — Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI. Las versiones de Adobe Com... • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.0EPSS: 6%CPEs: 58EXPL: 0CVE-2023-38249 – Adobe Commerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
https://notcve.org/view.php?id=CVE-2023-38249
13 Oct 2023 — Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI. Las versiones de Adobe Com... • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.0EPSS: 6%CPEs: 58EXPL: 0CVE-2023-38221 – Adobe Commerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
https://notcve.org/view.php?id=CVE-2023-38221
13 Oct 2023 — Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI. Las versiones de Adobe Com... • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-41879 – Magento LTS's guest order "protect code" can be brute-forced too easily
https://notcve.org/view.php?id=CVE-2023-41879
11 Sep 2023 — Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1. • https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128 • CWE-330: Use of Insufficiently Random Values •