CVE-2023-22247 HIGH

CVE-2023-22247: Adobe Commerce XML Injection Arbitrary file system read

Vendor Adobe

Product Magento Commerce

Weakness CWE-91 · XML injection

Published March 27, 2023

Last update March 5, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.

Key dates

02Disclosure timeline

March 27, 2023 CVE published

March 5, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-22247 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/91.html

Related vulnerabilities

Identifiers

CVE CVE-2023-22247

CWE CWE-91

CVSS 7.5 / HIGH

Affected versions

Vendor Adobe

Product Magento Commerce

Affected ≥ unspecified and ≤ 2.4.5-p1

Vendor Adobe

Product Magento Commerce

Affected ≥ unspecified and ≤ 2.4.4-p2

Vendor Adobe

Product Magento Commerce

Affected ≥ unspecified and ≤ None

CVE-2023-22247: Adobe Commerce XML Injection Arbitrary file system read

01Description

02Disclosure timeline

03References

04Related CVE