Moderate severityNVD Advisory· Published Jun 15, 2023· Updated Mar 5, 2025

Adobe Commerce XML Injection Security feature bypass

CVE-2023-29289

Description

Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an XML Injection vulnerability. An attacker with low privileges can trigger a specially crafted script to a security feature bypass. Exploitation of this issue does not require user interaction.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Commerce is vulnerable to XML Injection, allowing low-privileged attackers to bypass security features via a crafted script without user interaction.

Analysis

An XML Injection vulnerability exists in Adobe Commerce versions 2.4.6 and earlier, 2.4.5-p2 and earlier, and 2.4.4-p3 and earlier. The flaw arises from improper handling of XML input, allowing an attacker to inject malicious XML content that triggers a bypass of security features [1].

An attacker with low privileges, such as an authenticated user with basic access, can exploit this vulnerability by crafting a specially crafted script that performs XML injection. The attack does not require any user interaction, increasing its exploitability [1].

Successful exploitation allows the attacker to bypass certain security features, potentially leading to privilege escalation, unauthorized access to sensitive data, or further compromise of the Adobe Commerce instance. The exact impact can vary depending on the configuration and environment [1].

Adobe has released security updates to address this vulnerability. Users are advised to upgrade to the latest versions of Adobe Commerce and Magento Open Source to mitigate the risk. The official NVD entry provides further details and CVSS metrics [1].

References

NVD - CVE-2023-29289

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
magento/community-editionPackagist	>= 2.4.5-p1, < 2.4.5-p3	2.4.5-p3
magento/community-editionPackagist	>= 2.4.4-p1, < 2.4.4-p4	2.4.4-p4
magento/project-community-editionPackagist	<= 2.0.2	—

Affected products

Adobe Inc./Adobe Commercellm-fuzzy
Range: <=2.4.6, <=2.4.5-p2, <=2.4.4-p3
ghsa-coords2 versions
pkg:composer/magento/community-edition pkg:composer/magento/project-community-edition
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 2.0.2
Adobe/Magento Commercev5
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-wh42-8r2w-873xghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-29289ghsaADVISORY
helpx.adobe.com/security/products/magento/apsb23-35.htmlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000