Vulnerability Details : CVE-2023-29297
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Improper Neutralization of Special Elements Used in a Template Engine vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction.
Products affected by CVE-2023-29297
- cpe:2.3:a:adobe:magento:2.4.4:-:*:*:open_source:*:*:*
- cpe:2.3:a:adobe:magento:2.4.4:p1:*:*:open_source:*:*:*
- cpe:2.3:a:adobe:magento:2.4.4:p2:*:*:open_source:*:*:*
- cpe:2.3:a:adobe:magento:2.4.4:p3:*:*:open_source:*:*:*
- cpe:2.3:a:adobe:magento:2.4.5:-:*:*:open_source:*:*:*
- cpe:2.3:a:adobe:magento:2.4.5:p1:*:*:open_source:*:*:*
- cpe:2.3:a:adobe:magento:2.4.5:p2:*:*:open_source:*:*:*
- cpe:2.3:a:adobe:magento:2.4.6:-:*:*:open_source:*:*:*
- cpe:2.3:a:adobe:commerce:2.3.7:p1:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.3.7:p2:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.3:-:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.3.7:-:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.3.7:p3:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.5:p2:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.4:p3:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.6:-:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.3.7:p4-ext2:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.3.7:p4-ext1:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.3.7:p4:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.0:-:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.0:ext-1:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.0:ext-2:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.1:-:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.1:ext-1:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.1:ext-2:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.2:-:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.2:ext-1:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.2:ext-2:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.3:ext-2:*:*:*:*:*:*
- cpe:2.3:a:adobe:commerce:2.4.3:ext-1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-29297
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 49 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-29297
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
2.3
|
6.0
|
Adobe Systems Incorporated |
CWE ids for CVE-2023-29297
-
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.Assigned by: psirt@adobe.com (Secondary)
References for CVE-2023-29297
-
https://helpx.adobe.com/security/products/magento/apsb23-35.html
Adobe Security BulletinVendor Advisory
Jump to