CVE-2023-22247 – magento/community-edition

Package

Manager: composer
Name: magento/community-edition
Vulnerable Version: =2.4.5-p1 || >=2.4.5-p1 <2.4.5-p2 || =2.4.5 || >=2.4.4-p1 <2.4.4-p3 || =2.4.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00736 pctl0.71959

Details

Magento Open Source allows XML Injection Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.

Metadata

Created: 2023-03-27T21:30:25Z
Modified: 2025-03-04T16:18:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-2444-8gj8-6fmx/GHSA-2444-8gj8-6fmx.json
CWE IDs: ["CWE-91"]
Alternative ID: GHSA-2444-8gj8-6fmx
Finding: F083
Auto approve: 1