Design/Logic Flaw

2023-03-2721:15:00

PRIOn knowledge base

www.prio-n.com

adobe commerce

xml injection

vulnerability

arbitrary file system read

unauthenticated attacker

7.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.0%

JSON

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.

CPENameOperatorVersion
commerceeq2.4.4
commerceeq2.4.5
commerceeq2.4.4 p1
commercelt2.4.4
commerceeq2.4.5 p1
commerceeq2.4.4 p2
magento_open_sourcelt2.4.4
magento_open_sourceeq2.4.5
magento_open_sourceeq2.4.4 p1
magento_open_sourceeq2.4.4

Name	Operator	Version
commerce	eq	2.4.4
commerce	eq	2.4.5
commerce	eq	2.4.4 p1
commerce	lt	2.4.4
commerce	eq	2.4.5 p1
commerce	eq	2.4.4 p2
magento_open_source	lt	2.4.4
magento_open_source	eq	2.4.5
magento_open_source	eq	2.4.4 p1
magento_open_source	eq	2.4.4