CVE-2022-34253

XML Injection (aka Blind XPath Injection) (CWE-91)

Published: Aug 9, 2022 / Updated: 27mo ago

010
CVSS 7.2EPSS 0.22%High
CVE info copied to clipboard

Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. Exploitation of this issue does not require user interaction.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2022-34253. See article

Aug 9, 2022 at 4:40 PM / unknown
EPSS

EPSS Score was set to: 0.22% (Percentile: 59.4%)

Sep 26, 2023 at 5:28 PM
CVSS

A CVSS base score of 7.2 has been assigned.

Oct 21, 2024 at 9:54 PM / nvd
Static CVE Timeline Graph

Affected Systems

Adobe/commerce
+null more

Patches

Adobe
+null more

Attack Patterns

CAPEC-250: XML Injection
+null more

Vendor Advisory

APSB22-38: Security update available for Adobe Commerce
This update resolves critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, privilege escalation and security feature bypass.

References

APSB22-38: Security update available for Adobe Commerce
This update resolves critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, privilege escalation and security feature bypass.

News

Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution.
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution.
CVE-2022-34253
Critical Severity Description Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. Exploitation of this issue does not require user interaction. Read more at https://www.tenable.com/cve/CVE-2022-34253
CVE-2022-34253
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code...
CVE-2022-34253
We have provided these links to other web sites because they By selecting these links, you will be leaving NIST webspace.
CVE-2022-34253 (commerce, magento)
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. Exploitation of this issue does not require user interaction.
See 11 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI