CVE-2023-29297 – Critical Vulnerability in Adobe Commerce: Improper Neutralization of Special Elements Used in a Template Engine

Adobe Commerce, formerly known as Magento Commerce, is suffering from a critical vulnerability (CVE-2023-29297) that could allow attackers with admin privileges to execute arbitrary code. This vulnerability impacts versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier), and 2.4.4-p3 (and earlier) of Adobe Commerce. Exploitation does not require any user interaction, leaving many websites and businesses at high risk.

Overview

An Improper Neutralization of Special Elements Used in a Template Engine vulnerability occurs when user-supplied input is not properly sanitized, allowing attackers to inject malicious code. In this case, CVE-2023-29297 can be exploited by an already authenticated attacker with administrative privileges, leading to arbitrary code execution.

Exploit Details

The code snippet below demonstrates the issue found in the affected Adobe Commerce versions.

function vulnerable(data) {
  let template = "<div>${data.content}</div>";
  let result = template.replace('${data.content}', data.content);
  return result;
}

In this example, the data.content variable is not sanitized before being inserted into the template, allowing an attacker to inject malicious code.

Mitigation

Adobe has issued a security bulletin related to this vulnerability and advises users to upgrade their Adobe Commerce installation immediately to the patched versions 2.4.7, 2.4.5-p3, or 2.4.4-p4 to address the issue. You can find detailed upgrade instructions in the official Magento DevDocs here.

References

1. CVE-2023-29297 - NVD entry for this vulnerability
2. Adobe Security Bulletin - Official security bulletin provided by Adobe
3. Magento DevDocs - Official upgrading instructions for affected users

Conclusion

In conclusion, CVE-2023-29297 is a severe vulnerability that could allow a privileged attacker to execute arbitrary code on affected Adobe Commerce installations. It is highly recommended that users of impacted versions upgrade to the patched versions immediately to mitigate the risk.

Stay informed about security vulnerabilities and protect your online presence by following leading security sources and keeping your software up to date. Keep in mind that applying patches as soon as they are released is one of the best practices to avoid potential security breaches. In addition, implementing proper access controls to limit access to sensitive information and services can further reduce the likelihood of a successful attack.

Timeline

Published on: 06/15/2023 19:15:00 UTC
Last modified on: 06/15/2023 20:46:00 UTC