Request a Demo
Rewterz
Rewterz Threat Alert – STOP (DJVU) Ransomware – Active IOCs
October 12, 2023
Rewterz
Rewterz Threat Update – Zero-Day Vulnerability ‘HTTP/2 Rapid Reset’ Exploited to Launch Record-Breaking DDoS Attacks
October 12, 2023

Rewterz Threat Advisory – Multiple Adobe Commerce and Magento Open Source Vulnerabilities

Severity

High

Analysis Summary

CVE-2023-26368 CVSS:5.4

Adobe Commerce and Magento Open Source are vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute a script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-38251 CVSS:5.3

Adobe Commerce and Magento Open Source are vulnerable to a denial of service, caused by uncontrolled resource consumption. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.

CVE-2023-26367 CVSS:7.6

Adobe Commerce and Magento Open Source could allow a remote authenticated attacker to obtain sensitive information. By persuading a victim to open a specially crafted document, an attacker could exploit this vulnerability to obtain sensitive information and possibly execute arbitrary code on the system.

CVE-2023-38250 CVSS:8.0

Adobe Commerce and Magento Open Source is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.

CVE-2023-38249 CVSS:8.0

Adobe Commerce and Magento Open Source is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.

CVE-2023-38219 CVSS:8.4

Adobe Commerce and Magento Open Source are vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute a script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-26366 CVSS:4.9

Adobe Commerce and Magento Open Source are vulnerable to server-side request forgery. By persuading a victim to open a specially crafted document, a remote authenticated attacker could exploit this vulnerability to read the arbitrary file system.

CVE-2023-38221 CVSS:8.0

Adobe Commerce and Magento Open Source is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.

CVE-2023-38220 CVSS:7.5

Adobe Commerce and Magento Open Source could allow a remote attacker to bypass security restrictions, caused by improper authorization. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to bypass the security feature.

CVE-2023-38218 CVSS:8.8

Adobe Commerce and Magento Open Source could allow a remote attacker to gain elevated privileges on the system, caused by improper input validation. By persuading a victim to open a specially crafted document, a remote authenticated attacker could exploit this vulnerability to gain elevated privileges on the system.

Impact

  • Gain Access
  • Information Theft
  • Cross-Site Scripting
  • Privileges Escalation
  • Denial of Service
  • Data Manipulation
  • Security Bypass

Indicators Of Compromise

CVE

  • CVE-2023-26368
  • CVE-2023-38251
  • CVE-2023-26367
  • CVE-2023-38250
  • CVE-2023-38249
  • CVE-2023-38219
  • CVE-2023-26366
  • CVE-2023-38221
  • CVE-2023-38220
  • CVE-2023-38218

Affected Vendors

Adobe

Affected Products

  • Adobe Commerce 2.4.3
  • Adobe Commerce 2.3.7-p2
  • Adobe Commerce 2.4.4
  • Adobe Commerce 2.4.4-p1
  • Adobe Commerce 2.4.4-p2
  • Adobe Commerce 2.4.4-p3
  • Adobe Commerce 2.4.5
  • Adobe Commerce 2.4.5-p1
  • Adobe Commerce 2.4.5-p2
  • Adobe Commerce 2.4.2-ext-2
  • Adobe Commerce 2.4.3-ext-2
  • Adobe Commerce 2.4.1-ext-2
  • Adobe Commerce 2.4.0-ext-2
  • Adobe Commerce 2.3.7-p4-ext-2
  • Adobe Commerce 2.3.7-p4-ext-4
  • Adobe Magento Open Source 2.4.4-p2
  • Adobe Commerce 2.3.7-p4-ext-3
  • Adobe Magento Open Source 2.4.4-p4
  • Adobe Magento Open Source 2.4.5-p1
  • Adobe Magento Open Source 2.4.5-p2
  • Adobe Magento Open Source 2.4.4-p3
  • Adobe Magento Open Source 2.4.6

Remediation

Refer to Adobe Security Advisory for patch, upgrade or suggested workaround information.

Adobe Security Advisory