CVE-2023-38207 – Adobe Commerce XML Injection (aka Blind XPath Injection) Arbitrary file system read
https://notcve.org/view.php?id=CVE-2023-38207
Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation of this issue does not require user interaction. Las versiones 2.4.6-p1 (y anteriores), 2.4.5-p3 (y anteriores) y 2.4.4-p4 (y anteriores) de Adobe Commerce están afectadas por una vulnerabilidad de inyección XML (también conocida como Blind XPath Injection) que podría provocar una lectura menor del sistema de archivos arbitrario. La explotación de este problema no requiere la interacción del usuario. • https://helpx.adobe.com/security/products/magento/apsb23-42.html • CWE-91: XML Injection (aka Blind XPath Injection) •
CVE-2023-38208 – Validate Your Inputs | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
https://notcve.org/view.php?id=CVE-2023-38208
Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction. • https://helpx.adobe.com/security/products/magento/apsb23-42.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2023-38209 – Adobe Commerce Incorrect Authorization Security feature bypass
https://notcve.org/view.php?id=CVE-2023-38209
Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Incorrect Authorization vulnerability that could lead to a Security feature bypass. A low-privileged attacker could leverage this vulnerability to access other user's data. Exploitation of this issue does not require user interaction. • https://helpx.adobe.com/security/products/magento/apsb23-42.html • CWE-863: Incorrect Authorization •
CVE-2023-29291 – Server Side Request Forgery (SSRF) in USPS carrier integration configuration
https://notcve.org/view.php?id=CVE-2023-29291
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction. • https://helpx.adobe.com/security/products/magento/apsb23-35.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-29297 – Admin-to-admin stored XSS via cache poisoning
https://notcve.org/view.php?id=CVE-2023-29297
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Improper Neutralization of Special Elements Used in a Template Engine vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction. • https://helpx.adobe.com/security/products/magento/apsb23-35.html • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •