Low severityNVD Advisory· Published Jun 15, 2023· Updated Mar 5, 2025

Insecure Direct Object Reference (IDOR) in Create Quote Function

CVE-2023-29295

Description

Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Commerce versions 2.4.6 and earlier are vulnerable to an incorrect authorization flaw that lets low-privileged attackers bypass a minor security feature without user interaction.

Vulnerability

Overview

CVE-2023-29295 is an incorrect authorization vulnerability affecting Adobe Commerce — including Magento Open Source — versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier), and 2.4.4-p3 (and earlier). The root cause lies in improper authorization checks, which allow a low-privileged attacker to bypass a security feature [1].

Exploitation

The attack requires low privileges and no user interaction, making it easy to chain with other exploits or use by an authenticated user with limited permissions. The specific functionality bypassed is described as “minor,” but the lack of interaction lowers the barrier for exploitation [1].

Impact

A successful exploit results in a security feature bypass. Given the low privileges required, an attacker could escalate their capabilities within the application, potentially manipulating a feature that should be protected by authorization controls. The vulnerability is rated with a CVSS v3.1 base score of 5.4 (Medium), with network attack vector and low attack complexity [1].

Mitigation

Adobe has addressed the issue in security updates for the affected versions. Users should upgrade to Adobe Commerce 2.4.6-p1, 2.4.5-p3, 2.4.4-p4, or later. No workarounds have been published. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].

References

NVD - CVE-2023-29295

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
magento/community-editionPackagist	>= 2.4.5-p1, < 2.4.5-p3	2.4.5-p3
magento/community-editionPackagist	>= 2.4.4-p1, < 2.4.4-p4	2.4.4-p4
magento/project-community-editionPackagist	<= 2.0.2	—

Affected products

Adobe Inc./Adobe Commercellm-fuzzy
Range: <=2.4.6, <=2.4.5-p2, <=2.4.4-p3
ghsa-coords2 versions
pkg:composer/magento/community-edition pkg:composer/magento/project-community-edition
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 2.0.2
Adobe/Magento Commercev5
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-354h-fpmq-68v7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-29295ghsaADVISORY
helpx.adobe.com/security/products/magento/apsb23-35.htmlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000