CVE-2023-22249
Published: 27 March 2023
Summary
CVE-2023-22249 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Adobe Commerce. Its CVSS base score is 4.8 (Medium).
Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Adobe Commerce versions 2.4.4-p2 and earlier along with 2.4.5-p1 and earlier contain a stored cross-site scripting vulnerability tracked as CVE-2023-22249. The flaw, classified under CWE-79, allows malicious scripts to be persisted in vulnerable form fields and later executed as JavaScript in a victim browser that views the affected page. The issue carries a CVSS 3.1 score of 4.8 reflecting network attack vector, low attack complexity, high privileges required, and required user interaction with changed scope but limited impact on confidentiality and integrity.
A high-privileged attacker can exploit the weakness by injecting crafted scripts into the susceptible fields. Successful execution occurs when an authenticated user subsequently browses the page containing the stored payload, enabling the attacker to run arbitrary JavaScript in that user’s session context.
The official Adobe security bulletin at https://helpx.adobe.com/security/products/magento/apsb23-17.html addresses the issue and supplies mitigation guidance for affected Magento Commerce deployments. The associated EPSS probability rose from a low baseline after disclosure to a peak of 0.1828 on 2026-02-03 before receding to the present value of 0.0521.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-26413
Vulnerability details
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed…
more
in a victim’s browser when they browse to the page containing the vulnerable field.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.