CVE-2023-29297 – Critical Vulnerability in Adobe Commerce: Improper Neutralization of Special Elements Used in a Template Engine
Adobe Commerce, formerly known as Magento Commerce, is suffering from a critical vulnerability (CVE-2023-29297) that could allow attackers with admin privileges to execute arbitrary code. This vulnerability impacts versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier), and 2.4.4-p3 (and earlier) of Adobe Commerce. Exploitation does not require any user interaction, leaving many websites and businesses at high risk.
Overview
An Improper Neutralization of Special Elements Used in a Template Engine vulnerability occurs when user-supplied input is not properly sanitized, allowing attackers to inject malicious code. In this case, CVE-2023-29297 can be exploited by an already authenticated attacker with administrative privileges, leading to arbitrary code execution.
Exploit Details
The code snippet below demonstrates the issue found in the affected Adobe Commerce versions.
function vulnerable(data) {
let template = "<div>${data.content}</div>";
let result = template.replace('${data.content}', data.content);
return result;
}
In this example, the data.content variable is not sanitized before being inserted into the template, allowing an attacker to inject malicious code.
Mitigation
Adobe has issued a security bulletin related to this vulnerability and advises users to upgrade their Adobe Commerce installation immediately to the patched versions 2.4.7, 2.4.5-p3, or 2.4.4-p4 to address the issue. You can find detailed upgrade instructions in the official Magento DevDocs here.
References
1. CVE-2023-29297 - NVD entry for this vulnerability
2. Adobe Security Bulletin - Official security bulletin provided by Adobe
3. Magento DevDocs - Official upgrading instructions for affected users
Conclusion
In conclusion, CVE-2023-29297 is a severe vulnerability that could allow a privileged attacker to execute arbitrary code on affected Adobe Commerce installations. It is highly recommended that users of impacted versions upgrade to the patched versions immediately to mitigate the risk.
Stay informed about security vulnerabilities and protect your online presence by following leading security sources and keeping your software up to date. Keep in mind that applying patches as soon as they are released is one of the best practices to avoid potential security breaches. In addition, implementing proper access controls to limit access to sensitive information and services can further reduce the likelihood of a successful attack.
Timeline
Published on: 06/15/2023 19:15:00 UTC
Last modified on: 06/15/2023 20:46:00 UTC