Admin-to-admin stored XSS via cache poisoning

Vulnerability

Analysis

CVE-2023-29297 is an improper neutralization of special elements used in a template engine vulnerability (CWE-1336) affecting Adobe Commerce. The vulnerability exists because the software fails to properly sanitize or escape user-supplied input when processing templates. An attacker with administrative privileges can inject malicious template directives that the engine interprets and executes, bypassing intended restrictions [1].

Exploitation

Conditions

Exploitation requires an attacker to have authenticated admin-level access to an Adobe Commerce instance. The attack can be carried out without any user interaction, as the injected template content is processed server-side when the admin performs a routine action such as saving a configuration or updating content. Affected versions include Adobe Commerce 2.4.6 and earlier, 2.4.5-p2 and earlier, and 2.4.4-p3 and earlier [1].

Impact

Successful exploitation allows the attacker to achieve arbitrary code execution on the underlying server. This means they can run system commands, install malware, exfiltrate sensitive data (including customer payment information and credentials), or pivot to other internal systems. Because the attacker already has admin privileges, the impact is severe and could lead to full compromise of the e-commerce platform [1].

Mitigation

Adobe has released security patches to address this vulnerability in Adobe Commerce and Magento Open Source. Affected users should upgrade to the latest patched versions immediately. There are no known workarounds that fully mitigate the risk; applying the official update is strongly recommended. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].