Moderate severityNVD Advisory· Published Oct 13, 2023· Updated Feb 27, 2025

Adobe Commerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

CVE-2023-38249

Description

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Commerce versions up to 2.4.7-beta1, 2.4.6-p2, 2.4.5-p4, and 2.4.4-p5 are vulnerable to SQL injection that can lead to arbitrary code execution by an authenticated admin attacker.

CVE-2023-38249 is an SQL injection vulnerability in Adobe Commerce caused by improper neutralization of special elements in SQL commands. The vulnerability affects versions 2.4.7-beta1, 2.4.6-p2, 2.4.5-p4, 2.4.4-p5, and earlier [1].

Exploitation requires an authenticated attacker with admin privileges. The attack complexity is high, requiring knowledge of tooling beyond the standard UI, and no user interaction is needed [1].

Successful exploitation could allow the attacker to execute arbitrary code on the affected system [1].

Users should apply the latest security updates from Adobe to mitigate this vulnerability.

References

NVD - CVE-2023-38249

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
magento/community-editionPackagist	>= 2.4.7-beta1, < 2.4.7-beta2	2.4.7-beta2
magento/community-editionPackagist	>= 2.4.6-p1, < 2.4.6-p3	2.4.6-p3
magento/community-editionPackagist	>= 2.4.5-p1, < 2.4.5-p5	2.4.5-p5
magento/community-editionPackagist	>= 2.4.4-p1, < 2.4.4-p6	2.4.4-p6
magento/project-community-editionPackagist	<= 2.0.2	—

Affected products

Adobe Inc./Adobe Commercellm-fuzzy
Range: <=2.4.7-beta1
ghsa-coords2 versions
pkg:composer/magento/community-edition pkg:composer/magento/project-community-edition
>= 2.4.7-beta1, < 2.4.7-beta2+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-beta2
- (no CPE)range: <= 2.0.2
Adobe Inc./Commercecpe-rescue
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-rq36-9f5f-2gw7ghsaADVISORY
helpx.adobe.com/security/products/magento/apsb23-50.htmlghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2023-38249ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000