Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2023-AVI-0227
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Adobe. Elles permettent à un attaquant de provoquer une injection de code indirecte à distance (XSS), un contournement de la politique de sécurité, une exécution de code arbitraire à distance et une atteinte à la confidentialité des données.
L'éditeur indique que la vulnérabilité CVE-2023-26360 est exploitée dans le cadre d'attaques ciblées.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Adobe | ColdFusion | ColdFusion 2021 versions antérieures à Update 6 | ||
| Adobe | ColdFusion | ColdFusion 2018 versions antérieures à Update 16 | ||
| Adobe | Magento | Magento Open Source 2.4.4.x versions antérieures à 2.4.4-p3 | ||
| Adobe | Commerce | Adobe Commerce 2.4.4.x versions antérieures à 2.4.4-p3 | ||
| Adobe | Commerce | Adobe Commerce 2.4.5.x versions antérieures à 2.4.5-p2 | ||
| Adobe | Magento | Magento Open Source 2.4.5.x versions antérieures à 2.4.5-p2 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "ColdFusion 2021 versions ant\u00e9rieures \u00e0 Update 6",
"product": {
"name": "ColdFusion",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "ColdFusion 2018 versions ant\u00e9rieures \u00e0 Update 16",
"product": {
"name": "ColdFusion",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "Magento Open Source 2.4.4.x versions ant\u00e9rieures \u00e0 2.4.4-p3",
"product": {
"name": "Magento",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "Adobe Commerce 2.4.4.x versions ant\u00e9rieures \u00e0 2.4.4-p3",
"product": {
"name": "Commerce",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "Adobe Commerce 2.4.5.x versions ant\u00e9rieures \u00e0 2.4.5-p2",
"product": {
"name": "Commerce",
"vendor": {
"name": "Adobe",
"scada": false
}
}
},
{
"description": "Magento Open Source 2.4.5.x versions ant\u00e9rieures \u00e0 2.4.5-p2",
"product": {
"name": "Magento",
"vendor": {
"name": "Adobe",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-22247",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22247"
},
{
"name": "CVE-2023-22250",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22250"
},
{
"name": "CVE-2023-26359",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26359"
},
{
"name": "CVE-2023-26360",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26360"
},
{
"name": "CVE-2023-26361",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26361"
},
{
"name": "CVE-2023-22249",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22249"
},
{
"name": "CVE-2023-22251",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22251"
}
],
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 Adobe\u00a0APSB23-25 du 14 mars 2023",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html"
}
],
"reference": "CERTFR-2023-AVI-0227",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-03-15T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits \u003cspan\nclass=\"textit\"\u003eAdobe\u003c/span\u003e. Elles permettent \u00e0 un attaquant de\nprovoquer une injection de code indirecte \u00e0 distance (XSS), un\ncontournement de la politique de s\u00e9curit\u00e9, une ex\u00e9cution de code\narbitraire \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n\nL\u0027\u00e9diteur indique que la vuln\u00e9rabilit\u00e9 CVE-2023-26360 est exploit\u00e9e dans\nle cadre d\u0027attaques cibl\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Adobe",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Adobe APSB23-17 du 14 mars 2023",
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Adobe APSB23-25 du 14 mars 2023",
"url": null
}
]
}
CVE-2023-22251 (GCVE-0-2023-22251)
Vulnerability from cvelistv5 – Published: 2023-03-27 00:00 – Updated: 2025-03-05 19:21
VLAI?
EPSS
Summary
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disclosure.
Severity ?
4.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization (CWE-863)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Affected:
unspecified , ≤ 2.4.5-p1
(custom)
Affected: unspecified , ≤ 2.4.4-p2 (custom) Affected: unspecified , ≤ None (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:05.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:39:47.897681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T19:21:51.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.5-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-03-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disclosure."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce Incorrect Authorization Security feature bypass"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-22251",
"datePublished": "2023-03-27T00:00:00.000Z",
"dateReserved": "2022-12-19T00:00:00.000Z",
"dateUpdated": "2025-03-05T19:21:51.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22250 (GCVE-0-2023-22250)
Vulnerability from cvelistv5 – Published: 2023-03-27 00:00 – Updated: 2025-03-05 19:21
VLAI?
EPSS
Summary
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.
Severity ?
5.3 (Medium)
CWE
- CWE-284 - Improper Access Control (CWE-284)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Affected:
unspecified , ≤ 2.4.5-p1
(custom)
Affected: unspecified , ≤ 2.4.4-p2 (custom) Affected: unspecified , ≤ None (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:05.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:39:21.268543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T19:21:57.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.5-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-03-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user\u0027s minor feature. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control (CWE-284)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce Improper Access Control Security feature bypass"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-22250",
"datePublished": "2023-03-27T00:00:00.000Z",
"dateReserved": "2022-12-19T00:00:00.000Z",
"dateUpdated": "2025-03-05T19:21:57.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22247 (GCVE-0-2023-22247)
Vulnerability from cvelistv5 – Published: 2023-03-27 00:00 – Updated: 2025-03-05 19:22
VLAI?
EPSS
Summary
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.
Severity ?
7.5 (High)
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection) (CWE-91)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Affected:
unspecified , ≤ 2.4.5-p1
(custom)
Affected: unspecified , ≤ 2.4.4-p2 (custom) Affected: unspecified , ≤ None (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:05.282Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22247",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:39:24.612548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T19:22:13.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.5-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-03-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "XML Injection (aka Blind XPath Injection) (CWE-91)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce XML Injection Arbitrary file system read"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-22247",
"datePublished": "2023-03-27T00:00:00.000Z",
"dateReserved": "2022-12-19T00:00:00.000Z",
"dateUpdated": "2025-03-05T19:22:13.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26361 (GCVE-0-2023-26361)
Vulnerability from cvelistv5 – Published: 2023-03-23 00:00 – Updated: 2025-03-05 19:22
VLAI?
EPSS
Summary
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. Exploitation of this issue does not require user interaction, but does require administrator privileges.
Severity ?
4.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | ColdFusion |
Affected:
unspecified , ≤ CF2018U15, CF2021U5
(custom)
Affected: unspecified , ≤ None (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:24.525Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26361",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:39:54.607839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T19:22:22.522Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ColdFusion",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "CF2018U15, CF2021U5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-03-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability that could result in Arbitrary file system read. Exploitation of this issue does not require user interaction, but does require administrator privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-23T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe ColdFusion Directory Traversal Arbitrary file system read Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-26361",
"datePublished": "2023-03-23T00:00:00.000Z",
"dateReserved": "2023-02-22T00:00:00.000Z",
"dateUpdated": "2025-03-05T19:22:22.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26360 (GCVE-0-2023-26360)
Vulnerability from cvelistv5 – Published: 2023-03-23 00:00 – Updated: 2025-10-21 23:15
VLAI?
EPSS
Summary
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
Severity ?
8.6 (High)
CWE
- CWE-284 - Improper Access Control (CWE-284)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | ColdFusion |
Affected:
unspecified , ≤ CF2018U15
(custom)
Affected: unspecified , ≤ CF2021U5 (custom) Affected: unspecified , ≤ None (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:24.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/172079/Adobe-ColdFusion-Unauthenticated-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26360",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T16:12:09.022109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-03-15",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-26360"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:15:21.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-26360"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-03-15T00:00:00+00:00",
"value": "CVE-2023-26360 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ColdFusion",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "CF2018U15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "CF2021U5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-03-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control (CWE-284)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-01T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html"
},
{
"url": "http://packetstormsecurity.com/files/172079/Adobe-ColdFusion-Unauthenticated-Remote-Code-Execution.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe ColdFusion Improper Access Control Arbitrary code execution"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-26360",
"datePublished": "2023-03-23T00:00:00.000Z",
"dateReserved": "2023-02-22T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:15:21.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26359 (GCVE-0-2023-26359)
Vulnerability from cvelistv5 – Published: 2023-03-23 00:00 – Updated: 2025-10-21 23:15
VLAI?
EPSS
Summary
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data (CWE-502)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | ColdFusion |
Affected:
unspecified , ≤ CF2018U15, CF2021U5
(custom)
Affected: unspecified , ≤ None (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:46:24.561Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26359",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T16:11:26.893896Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-08-21",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-26359"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:15:22.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-26359"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-08-21T00:00:00+00:00",
"value": "CVE-2023-26359 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ColdFusion",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "CF2018U15, CF2021U5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-03-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data (CWE-502)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-23T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe ColdFusion Deserialization of Untrusted Data Arbitrary code execution"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-26359",
"datePublished": "2023-03-23T00:00:00.000Z",
"dateReserved": "2023-02-22T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:15:22.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22249 (GCVE-0-2023-22249)
Vulnerability from cvelistv5 – Published: 2023-03-27 00:00 – Updated: 2025-03-05 19:22
VLAI?
EPSS
Summary
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Cross-site Scripting (Stored XSS) (CWE-79)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Magento Commerce |
Affected:
unspecified , ≤ 2.4.5-p1
(custom)
Affected: unspecified , ≤ 2.4.4-p2 (custom) Affected: unspecified , ≤ None (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:07:05.430Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22249",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:39:51.637619Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T19:22:05.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.5-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.4-p2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-03-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim\u2019s browser when they browse to the page containing the vulnerable field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (Stored XSS) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T00:00:00.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Adobe Commerce Stored XSS Arbitrary code execution"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-22249",
"datePublished": "2023-03-27T00:00:00.000Z",
"dateReserved": "2022-12-19T00:00:00.000Z",
"dateUpdated": "2025-03-05T19:22:05.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…