CVE-2023-38251 – Adobe Commerce | Uncontrolled Resource Consumption (CWE-400)
https://notcve.org/view.php?id=CVE-2023-38251
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Uncontrolled Resource Consumption vulnerability that could lead in minor application denial-of-service. Exploitation of this issue does not require user interaction. Las versiones de Adobe Commerce 2.4.7-beta1 (y anteriores), 2.4.6-p2 (y anteriores), 2.4.5-p4 (y anteriores) y 2.4.4-p5 (y anteriores) se ven afectadas por una vulnerabilidad de Consumo de Recursos Incontrolados eso podría provocar una Denegación de Servicio (DoS) menor en una aplicación. La explotación de este problema no requiere la interacción del usuario. • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-38219 – Validate Your Inputs | Cross-site Scripting (Stored XSS) (CWE-79) - Customer to Admin stored XSS with Gift wrapping
https://notcve.org/view.php?id=CVE-2023-38219
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Payload is stored in an admin area, resulting in high confidentiality and integrity impact. Las versiones de Adobe Commerce 2.4.7-beta1 (y anteriores), 2.4.6-p2 (y anteriores), 2.4.5-p4 (y anteriores) y 2.4.4-p5 (y anteriores) se ven afectadas por una vulnerabilidad de Cross-Site Scripting (XSS) Almacenada de la que un atacante con pocos privilegios podría abusar para inyectar scripts maliciosos en campos de formulario vulnerables. Se puede ejecutar JavaScript malicioso en el navegador de la víctima cuando navega a la página que contiene el campo vulnerable. • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-38220 – Full page cache enumeration via cookie X-Magento-Vary
https://notcve.org/view.php?id=CVE-2023-38220
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Authorization vulnerability that could lead in a security feature bypass in a way that an attacker could access unauthorised data. Exploitation of this issue does not require user interaction. Las versiones de Adobe Commerce 2.4.7-beta1 (y anteriores), 2.4.6-p2 (y anteriores), 2.4.5-p4 (y anteriores) y 2.4.4-p5 (y anteriores) se ven afectadas por una vulnerabilidad de autorización incorrecta que podría provocar una elusión de una característica de seguridad de manera que un atacante pudiera acceder a datos no autorizados. La explotación de este problema no requiere la interacción del usuario. • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-285: Improper Authorization •
CVE-2023-26367 – Error based file extraction via PHP filter chains during product bulk import logic
https://notcve.org/view.php?id=CVE-2023-26367
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction. Las versiones de Adobe Commerce 2.4.7-beta1 (y anteriores), 2.4.6-p2 (y anteriores), 2.4.5-p4 (y anteriores) y 2.4.4-p5 (y anteriores) se ven afectadas por una vulnerabilidad de validación de entrada incorrecta eso podría llevar a que un atacante autenticado con privilegios de administrador lea el sistema de archivos arbitrario. La explotación de este problema no requiere la interacción del usuario. • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-20: Improper Input Validation •
CVE-2023-26366 – Validate Your Inputs | Server-Side Request Forgery (SSRF) (CWE-918)
https://notcve.org/view.php?id=CVE-2023-26366
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privileged authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction, scope is changed due to the fact that an attacker can enforce file read outside the application's path boundary. Las versiones de Adobe Commerce 2.4.7-beta1 (y anteriores), 2.4.6-p2 (y anteriores), 2.4.5-p4 (y anteriores) y 2.4.4-p5 (y anteriores) se ven afectadas por una vulnerabilidad Server-Side Request Forgery (SSRF) que podría provocar una lectura arbitraria del sistema de archivos. Un atacante autenticado con altos privilegios puede obligar a la aplicación a realizar solicitudes arbitrarias mediante la inyección de URL arbitrarias. • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-918: Server-Side Request Forgery (SSRF) •