{"containers": {"cna": {"affected": [{"product": "Magento Commerce", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "2.4.4", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "2.3.7-p3", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "2.4.3-p2", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "None", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-08-09T00:00:00", "descriptions": [{"lang": "en", "value": "Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. Exploitation of this issue does not require user interaction."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-91", "description": "XML Injection (aka Blind XPath Injection) (CWE-91)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-16T19:45:50", "orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://helpx.adobe.com/security/products/magento/apsb22-38.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Adobe Commerce XML Injection Arbitrary code execution", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@adobe.com", "DATE_PUBLIC": "2022-08-09T23:00:00.000Z", "ID": "CVE-2022-34253", "STATE": "PUBLIC", "TITLE": "Adobe Commerce XML Injection Arbitrary code execution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Magento Commerce", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.4.4"}, {"version_affected": "<=", "version_value": "2.3.7-p3"}, {"version_affected": "<=", "version_value": "2.4.3-p2"}, {"version_affected": "<=", "version_value": "None"}]}}]}, "vendor_name": "Adobe"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. Exploitation of this issue does not require user interaction."}]}, "impact": {"cvss": {"attackComplexity": "Low", "attackVector": "Network", "availabilityImpact": "High", "baseScore": 9.1, "baseSeverity": "Critical", "confidentialityImpact": "High", "integrityImpact": "High", "privilegesRequired": "High", "scope": "Changed", "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "XML Injection (aka Blind XPath Injection) (CWE-91)"}]}]}, "references": {"reference_data": [{"name": "https://helpx.adobe.com/security/products/magento/apsb22-38.html", "refsource": "MISC", "url": "https://helpx.adobe.com/security/products/magento/apsb22-38.html"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:07:15.462Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://helpx.adobe.com/security/products/magento/apsb22-38.html"}]}]}, "cveMetadata": {"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "assignerShortName": "adobe", "cveId": "CVE-2022-34253", "datePublished": "2022-08-16T19:45:52.891423Z", "dateReserved": "2022-06-21T00:00:00", "dateUpdated": "2024-09-16T16:18:30.748Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*", "matchCriteriaId": "710EE526-2F86-4887-9D94-17A3F20E3396", "versionEndExcluding": "2.3.7", "versionStartIncluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF96C367-576B-437B-A86C-CB9CA65CB481", "versionEndExcluding": "2.4.3", "versionStartIncluding": "2.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:2.3.7:-:*:*:*:*:*:*", "matchCriteriaId": "4346BF61-743B-4BBE-AC90-9954FEE6E943", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:2.3.7:p1:*:*:*:*:*:*", "matchCriteriaId": "9F471E19-8AFE-4A6C-88EA-DF94428518F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:2.3.7:p2:*:*:*:*:*:*", "matchCriteriaId": "27E5B990-1E1C-46AC-815F-AF737D211C16", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:2.3.7:p3:*:*:*:*:*:*", "matchCriteriaId": "8D1598F4-AA41-4F94-A986-E603DC42AC8B", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:2.4.3:-:*:*:*:*:*:*", "matchCriteriaId": "7B503C35-8C90-4A24-8E60-722CDBBF556B", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:2.4.3:p1:*:*:*:*:*:*", "matchCriteriaId": "8A453C85-A14A-47B8-B91D-3906BBE42A78", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:2.4.3:p2:*:*:*:*:*:*", "matchCriteriaId": "38FFC3BA-B75E-4060-9E29-74367C7BE8A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*", "matchCriteriaId": "D258D9EF-94FB-41F0-A7A5-7F66FA7A0055", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*", "matchCriteriaId": "EF7E0CE5-C73F-4516-9C22-D661C1D09BED", "versionEndExcluding": "2.3.7", "versionStartIncluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*", "matchCriteriaId": "D26A9A5C-27A5-481C-A721-ED774F90A503", "versionEndExcluding": "2.4.3", "versionStartIncluding": "2.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.7:-:*:*:commerce:*:*:*", "matchCriteriaId": "F124A6F4-E3B3-4065-970D-963BAAAD59CB", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.7:p1:*:*:commerce:*:*:*", "matchCriteriaId": "0F954F97-00FF-4ADC-A185-ACF0513C5294", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.7:p2:*:*:commerce:*:*:*", "matchCriteriaId": "E4798194-5488-4DB5-8427-0AFDDD8F4D0E", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.7:p3:*:*:commerce:*:*:*", "matchCriteriaId": "8D8E981A-FE0D-47EA-A138-C8DB67DF3859", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.3:-:*:*:commerce:*:*:*", "matchCriteriaId": "A573FBD1-29A3-4601-B0FA-AFEF953C05E5", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.3:p1:*:*:commerce:*:*:*", "matchCriteriaId": "9D138592-62B8-458A-9B95-9E05FDA8D63A", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.3:p2:*:*:commerce:*:*:*", "matchCriteriaId": "415E26EA-1394-4415-8CF0-8E61BC12AB24", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.4:-:*:*:commerce:*:*:*", "matchCriteriaId": "3A428482-CEE7-4B7A-9CDE-C062E7126110", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. Exploitation of this issue does not require user interaction."}, {"lang": "es", "value": "Adobe Commerce versiones 2.4.3-p2 (y anteriores), 2.3.7-p3 (y anteriores) y 2.4.4 (y anteriores) est\u00e1n afectadas por una vulnerabilidad de inyecci\u00f3n XML en el m\u00f3dulo de widgets. Un atacante con privilegios de administrador puede desencadenar un script especialmente dise\u00f1ado para lograr una ejecuci\u00f3n de c\u00f3digo remota. No es requerida una interacci\u00f3n del usuario para la explotaci\u00f3n de este problema."}], "id": "CVE-2022-34253", "lastModified": "2024-11-21T07:09:09.320", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "psirt@adobe.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-16T21:15:09.973", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/magento/apsb22-38.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/magento/apsb22-38.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-91"}], "source": "psirt@adobe.com", "type": "Secondary"}]}

{}