CVE-2022-34253 CRITICAL

CVE-2022-34253: Adobe Commerce XML Injection Arbitrary code execution

Vendor Adobe
Product Magento Commerce
Weakness CWE-91 · XML injection
Published August 16, 2022
Last update April 23, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. Exploitation of this issue does not require user interaction.

Key dates

02Disclosure timeline

August 16, 2022 CVE published
April 23, 2025 Record updated