March 9, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – STOP (DJVU) Ransomware – Active IOCs
October 12, 2023Rewterz Threat Update – Zero-Day Vulnerability ‘HTTP/2 Rapid Reset’ Exploited to Launch Record-Breaking DDoS Attacks
October 12, 2023Rewterz Threat Alert – STOP (DJVU) Ransomware – Active IOCs
October 12, 2023Rewterz Threat Update – Zero-Day Vulnerability ‘HTTP/2 Rapid Reset’ Exploited to Launch Record-Breaking DDoS Attacks
October 12, 2023
Severity
High
Analysis Summary
CVE-2023-26368 CVSS:5.4
Adobe Commerce and Magento Open Source are vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute a script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-38251 CVSS:5.3
Adobe Commerce and Magento Open Source are vulnerable to a denial of service, caused by uncontrolled resource consumption. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2023-26367 CVSS:7.6
Adobe Commerce and Magento Open Source could allow a remote authenticated attacker to obtain sensitive information. By persuading a victim to open a specially crafted document, an attacker could exploit this vulnerability to obtain sensitive information and possibly execute arbitrary code on the system.
CVE-2023-38250 CVSS:8.0
Adobe Commerce and Magento Open Source is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVE-2023-38249 CVSS:8.0
Adobe Commerce and Magento Open Source is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVE-2023-38219 CVSS:8.4
Adobe Commerce and Magento Open Source are vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute a script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-26366 CVSS:4.9
Adobe Commerce and Magento Open Source are vulnerable to server-side request forgery. By persuading a victim to open a specially crafted document, a remote authenticated attacker could exploit this vulnerability to read the arbitrary file system.
CVE-2023-38221 CVSS:8.0
Adobe Commerce and Magento Open Source is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVE-2023-38220 CVSS:7.5
Adobe Commerce and Magento Open Source could allow a remote attacker to bypass security restrictions, caused by improper authorization. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to bypass the security feature.
CVE-2023-38218 CVSS:8.8
Adobe Commerce and Magento Open Source could allow a remote attacker to gain elevated privileges on the system, caused by improper input validation. By persuading a victim to open a specially crafted document, a remote authenticated attacker could exploit this vulnerability to gain elevated privileges on the system.
Impact
- Gain Access
- Information Theft
- Cross-Site Scripting
- Privileges Escalation
- Denial of Service
- Data Manipulation
- Security Bypass
Indicators Of Compromise
CVE
- CVE-2023-26368
- CVE-2023-38251
- CVE-2023-26367
- CVE-2023-38250
- CVE-2023-38249
- CVE-2023-38219
- CVE-2023-26366
- CVE-2023-38221
- CVE-2023-38220
- CVE-2023-38218
Affected Vendors
Adobe
Affected Products
- Adobe Commerce 2.4.3
- Adobe Commerce 2.3.7-p2
- Adobe Commerce 2.4.4
- Adobe Commerce 2.4.4-p1
- Adobe Commerce 2.4.4-p2
- Adobe Commerce 2.4.4-p3
- Adobe Commerce 2.4.5
- Adobe Commerce 2.4.5-p1
- Adobe Commerce 2.4.5-p2
- Adobe Commerce 2.4.2-ext-2
- Adobe Commerce 2.4.3-ext-2
- Adobe Commerce 2.4.1-ext-2
- Adobe Commerce 2.4.0-ext-2
- Adobe Commerce 2.3.7-p4-ext-2
- Adobe Commerce 2.3.7-p4-ext-4
- Adobe Magento Open Source 2.4.4-p2
- Adobe Commerce 2.3.7-p4-ext-3
- Adobe Magento Open Source 2.4.4-p4
- Adobe Magento Open Source 2.4.5-p1
- Adobe Magento Open Source 2.4.5-p2
- Adobe Magento Open Source 2.4.4-p3
- Adobe Magento Open Source 2.4.6
Remediation
Refer to Adobe Security Advisory for patch, upgrade or suggested workaround information.