CVE-2023-38250 Vulnerability Details

  /     /     /  

CVE-2023-38250 Metadata Quick Info

CVE Published: 13/10/2023 | CVE Updated: 17/09/2024 | CVE Year: 2023
Source: adobe | Vendor: Adobe | Product: Adobe Commerce
Status : PUBLISHED

CVE-2023-38250 Description

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI.

Metrics

CVSS Version: 3.1 | Base Score: 8 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* HIGH
    User Interaction (UI)* NONE
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-89
CWE Name: Improper Neutralization of Special Elements used in an SQL Command ( SQL Injection ) (CWE-89)
Source: Adobe

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).