CVE-2023-26366 MEDIUM

CVE-2023-26366: Validate Your Inputs | Server-Side Request Forgery (SSRF) (CWE-918)

Vendor Adobe

Product Adobe Commerce

Weakness CWE-918 · SSRF

Published October 13, 2023

Last update February 27, 2025

View on NVD All CVEs

CVSS base score

6.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privileged authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction, scope is changed due to the fact that an attacker can enforce file read outside the application's path boundary.

Key dates

02Disclosure timeline

October 13, 2023 CVE published

February 27, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-26366 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

CVE-2023-26366: Validate Your Inputs | Server-Side Request Forgery (SSRF) (CWE-918)

01Description

02Disclosure timeline

03References

04Related CVE