CVE-2023-38221 HIGH

CVE-2023-38221: Adobe Commerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Vendor Adobe
Product Adobe Commerce
Weakness CWE-89 · SQLi
Published October 13, 2023
Last update February 27, 2025
View on NVD All CVEs

CVSS base score

8.0/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI.

Key dates

02Disclosure timeline

October 13, 2023 CVE published
February 27, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-14090 AMTT Hotel Broadband Operation System cardmake_down.php sql injection CVE-2024-10430 Codezips Pet Shop Management System animalsupdate.php sql injection CVE-2025-6878 SourceCodester Best Salon Management System search-appointment.php sql injection CVE-2025-30784 WordPress WP Subscription Forms plugin <= 1.2.3 - SQL Injection Vulnerability CVE-2025-5358 PHPGurukul/Campcodes Cyber Cafe Management System bwdates-reports-details.php sql injection