WEB APPLICATION VULNERABILITIES Standard & Premium

Magento XML Injection (aka Blind XPath Injection) Vulnerability (CVE-2022-34253)

Description

Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. Exploitation of this issue does not require user interaction.

Remediation

References

Related Vulnerabilities

WordPress Plugin MediaPress Security Bypass (1.1.9)

Jboss EAP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-12167)

WordPress Plugin NextScripts:Social Networks Auto-Poster Cross-Site Scripting (4.3.20)

WordPress Plugin Migration, Backup, Staging-WPvivid Cross-Site Scripting (0.9.55)

Serendipity Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2006-6242)

Severity

High

Classification

CVE-2022-34253 CWE-91 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities