CVE-2022-34253
Published: 16 August 2022
Summary
CVE-2022-34253 is a high-severity aka Blind XPath Injection (CWE-91) vulnerability in Adobe Commerce. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Adobe Commerce versions 2.4.3-p2 and earlier, 2.3.7-p3 and earlier, and 2.4.4 and earlier contain an XML Injection vulnerability (CWE-91) in the Widgets Module. The flaw carries a CVSS 3.1 base score of 7.2 and stems from insufficient validation of XML input supplied to the affected component.
An authenticated attacker with administrative privileges can supply a specially crafted script over the network to trigger remote code execution. No user interaction is required, and successful exploitation yields full confidentiality, integrity, and availability impact on the affected installation.
The official Adobe security bulletin APSB22-38, available at https://helpx.adobe.com/security/products/magento/apsb22-38.html, details the patches that address the issue for supported Magento and Adobe Commerce releases.
The associated EPSS score has remained flat at a peak of 0.3719 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6539
Vulnerability details
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.…
more
Exploitation of this issue does not require user interaction.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.