CVE-2022-34254 – Adobe Commerce Improper Limitation of a Pathname to a Restricted Directory Arbitrary code execution
https://notcve.org/view.php?id=CVE-2022-34254
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could be abused by an attacker to inject malicious scripts into the vulnerable endpoint. A low privileged attacker could leverage this vulnerability to read local files and to perform Stored XSS. Exploitation of this issue does not require user interaction. Adobe Commerce versiones 2.4.3-p2 (y anteriores), 2.3.7-p3 (y anteriores) y 2.4.4 (y anteriores) están afectadas por una vulnerabilidad de Limitación Inapropiada de un Nombre de Ruta a un Directorio Restringido ("Salto de Ruta") que podría ser aprovechada por un atacante para inyectar scripts maliciosos en el endpoint vulnerable. Un atacante poco privilegiado podría aprovechar esta vulnerabilidad para leer archivos locales y llevar a cabo un ataque de tipo XSS almacenado. • https://helpx.adobe.com/security/products/magento/apsb22-38.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2022-34256 – Adobe Commerce Improper Authorization Privilege escalation
https://notcve.org/view.php?id=CVE-2022-34256
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to access other user's data. Exploitation of this issue does not require user interaction. Adobe Commerce versiones 2.4.3-p2 (y anteriores), 2.3.7-p3 (y anteriores) y 2.4.4 (y anteriores) están afectadas por una vulnerabilidad de Autorización Inapropiada que podría resultar en una escalada de Privilegios. Un atacante podría aprovechar esta vulnerabilidad para acceder a los datos de otros usuarios. • https://helpx.adobe.com/security/products/magento/apsb22-38.html • CWE-285: Improper Authorization •
CVE-2022-34258 – Adobe Commerce Stored XSS Arbitrary code execution
https://notcve.org/view.php?id=CVE-2022-34258
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker with admin privileges to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Adobe Commerce versiones 2.4.3-p2 (y anteriores), 2.3.7-p3 (y anteriores) y 2.4.4 (y anteriores) están afectadas por una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado de la que podría abusar un atacante con privilegios de administrador para inyectar secuencias de comandos maliciosas en campos de formulario vulnerables. El JavaScript malicioso puede ejecutarse en el navegador de la víctima cuando ésta navega a la página que contiene el campo vulnerable. • https://helpx.adobe.com/security/products/magento/apsb22-38.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-24086 – Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2022-24086
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution. Adobe Commerce versiones 2.4.3-p1 (y anteriores) y 2.3.7-p2 (y anteriores), están afectadas por una vulnerabilidad de comprobación de entrada inapropiada durante el proceso de compra. Una explotación de este problema no requiere la interacción del usuario y podría resultar en una ejecución de código arbitrario Adobe Commerce and Magento Open Source contain an improper input validation vulnerability which can allow for arbitrary code execution. • https://github.com/Mr-xn/CVE-2022-24086 https://github.com/oK0mo/CVE-2022-24086-RCE-PoC https://github.com/nanaao/CVE-2022-24086-RCE https://github.com/pescepilota/CVE-2022-24086 https://github.com/NHPT/CVE-2022-24086-RCE https://github.com/akr3ch/CVE-2022-24086 https://github.com/rxerium/CVE-2022-24086 https://github.com/BurpRoot/CVE-2022-24086 https://github.com/seymanurmutlu/CVE-2022-24086-CVE-2022-24087 https://helpx.adobe.com/security/products/magento/apsb2 • CWE-20: Improper Input Validation •
CVE-2021-28567 – Magento Commerce improper authorization allows an authenticated user to perform certain functions without permission
https://notcve.org/view.php?id=CVE-2021-28567
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin console is required for successful exploitation. Magento versiones 2.4.2 (y anteriores), versiones 2.4.1-p1 (y anteriores) y versiones 2.3.6-p1 (y anteriores), son susceptibles a una vulnerabilidad de Autorización Inapropiada en el módulo de clientes. Una explotación con éxito podría permitir a un usuario pocos privilegiados modificar los datos de los clientes. • https://helpx.adobe.com/security/products/magento/apsb21-30.html • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •