CVE-2023-38220 HIGH

CVE-2023-38220: Full page cache enumeration via cookie X-Magento-Vary

Vendor Adobe

Product Adobe Commerce

Weakness CWE-285

Published October 13, 2023

Last update February 27, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Authorization vulnerability that could lead in a security feature bypass in a way that an attacker could access unauthorised data. Exploitation of this issue does not require user interaction.

Key dates

Disclosure timeline

October 13, 2023 CVE published

February 27, 2025 Record updated