Cyber Resilience

CVE-2022-34253

High

Published: 16 August 2022

Published
16 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3719 97.3th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-34253 is a high-severity aka Blind XPath Injection (CWE-91) vulnerability in Adobe Commerce. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Adobe Commerce versions 2.4.3-p2 and earlier, 2.3.7-p3 and earlier, and 2.4.4 and earlier contain an XML Injection vulnerability (CWE-91) in the Widgets Module. The flaw carries a CVSS 3.1 base score of 7.2 and stems from insufficient validation of XML input supplied to the affected component.

An authenticated attacker with administrative privileges can supply a specially crafted script over the network to trigger remote code execution. No user interaction is required, and successful exploitation yields full confidentiality, integrity, and availability impact on the affected installation.

The official Adobe security bulletin APSB22-38, available at https://helpx.adobe.com/security/products/magento/apsb22-38.html, details the patches that address the issue for supported Magento and Adobe Commerce releases.

The associated EPSS score has remained flat at a peak of 0.3719 with no material increase since disclosure.

EU & UK References

Vulnerability details

Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.…

more

Exploitation of this issue does not require user interaction.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
commerce
2.3.7, 2.4.3, 2.4.4 · 2.3.0 — 2.3.7 · 2.4.0 — 2.4.3
magento
magento
2.3.7, 2.4.3, 2.4.4 · 2.3.0 — 2.3.7 · 2.4.0 — 2.4.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References