Commerce
by Adobe Inc.
CVEs (177)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-38221 | 0.00 | — | 0.01 | Oct 13, 2023 | Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code… | |||
| CVE-2022-24093 | 0.00 | — | 0.01 | Sep 12, 2023 | Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution. | |||
| CVE-2021-36036 | 0.00 | — | 0.02 | Sep 6, 2023 | Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker… | |||
| CVE-2021-36021 | 0.00 | — | 0.02 | Sep 6, 2023 | Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper input validation vulnerability within the CMS page scheduled update feature. An authenticated attacker with administrative privilege could leverage this vulnerability… | |||
| CVE-2023-38207 | 0.00 | — | 0.01 | Aug 9, 2023 | Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation of this issue does not require user… | |||
| CVE-2023-29293 | 0.00 | — | 0.01 | Jun 15, 2023 | Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An admin privileged attacker could leverage this vulnerability to impact the… | |||
| CVE-2023-29288 | 0.00 | — | 0.01 | Jun 15, 2023 | Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor… | |||
| CVE-2022-42344 | 0.00 | — | 0.01 | Oct 20, 2022 | Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Incorrect Authorization vulnerability. An authenticated attacker can exploit this vulnerability to achieve information exposure and privilege escalation. | |||
| CVE-2020-14274 | 0.00 | — | 0.01 | Jan 12, 2021 | Information disclosure vulnerability in HCL Commerce 9.0.1.9 through 9.0.1.14 and 9.1 through 9.1.4 could allow a remote attacker to obtain user personal data via unknown vectors. | |||
| CVE-2020-14275 | 0.00 | — | 0.01 | Jan 12, 2021 | Security vulnerability in HCL Commerce 9.0.0.5 through 9.0.0.13, 9.0.1.0 through 9.0.1.14 and 9.1 through 9.1.4 could allow denial of service, disclosure of user personal data, and performing of unauthorized administrative operations. | |||
| CVE-2020-6302 | 0.00 | — | 0.01 | Sep 9, 2020 | SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. An attacker can get this session ID via shoulder surfing or man in the middle attack and subsequently get access to admin user accounts,… | |||
| CVE-2020-6264 | 0.00 | — | 0.01 | Jun 10, 2020 | SAP Commerce, versions - 6.7, 1808, 1811, 1905, may allow an attacker to access information under certain conditions which would otherwise be restricted, leading to Information Disclosure. | |||
| CVE-2020-6265 | 0.00 | — | 0.01 | Jun 9, 2020 | SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials. | |||
| CVE-2020-6238 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce. | |||
| CVE-2020-6232 | 0.00 | — | 0.01 | Apr 14, 2020 | SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization Check. This affects confidentiality of secure media. | |||
| CVE-2019-7940 | 0.00 | — | 0.01 | Aug 2, 2019 | A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated… | |||
| CVE-2019-0238 | 0.00 | — | 0.01 | Jan 8, 2019 | SAP Commerce (previously known as SAP Hybris Commerce), before version 6.7, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. |
- CVE-2023-38221Oct 13, 2023risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code…
- CVE-2022-24093Sep 12, 2023risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.
- CVE-2021-36036Sep 6, 2023risk 0.00cvss —epss 0.02
Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker…
- CVE-2021-36021Sep 6, 2023risk 0.00cvss —epss 0.02
Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper input validation vulnerability within the CMS page scheduled update feature. An authenticated attacker with administrative privilege could leverage this vulnerability…
- CVE-2023-38207Aug 9, 2023risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation of this issue does not require user…
- CVE-2023-29293Jun 15, 2023risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An admin privileged attacker could leverage this vulnerability to impact the…
- CVE-2023-29288Jun 15, 2023risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor…
- CVE-2022-42344Oct 20, 2022risk 0.00cvss —epss 0.01
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Incorrect Authorization vulnerability. An authenticated attacker can exploit this vulnerability to achieve information exposure and privilege escalation.
- CVE-2020-14274Jan 12, 2021risk 0.00cvss —epss 0.01
Information disclosure vulnerability in HCL Commerce 9.0.1.9 through 9.0.1.14 and 9.1 through 9.1.4 could allow a remote attacker to obtain user personal data via unknown vectors.
- CVE-2020-14275Jan 12, 2021risk 0.00cvss —epss 0.01
Security vulnerability in HCL Commerce 9.0.0.5 through 9.0.0.13, 9.0.1.0 through 9.0.1.14 and 9.1 through 9.1.4 could allow denial of service, disclosure of user personal data, and performing of unauthorized administrative operations.
- CVE-2020-6302Sep 9, 2020risk 0.00cvss —epss 0.01
SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. An attacker can get this session ID via shoulder surfing or man in the middle attack and subsequently get access to admin user accounts,…
- CVE-2020-6264Jun 10, 2020risk 0.00cvss —epss 0.01
SAP Commerce, versions - 6.7, 1808, 1811, 1905, may allow an attacker to access information under certain conditions which would otherwise be restricted, leading to Information Disclosure.
- CVE-2020-6265Jun 9, 2020risk 0.00cvss —epss 0.01
SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials.
- CVE-2020-6238Apr 14, 2020risk 0.00cvss —epss 0.01
SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce.
- CVE-2020-6232Apr 14, 2020risk 0.00cvss —epss 0.01
SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization Check. This affects confidentiality of secure media.
- CVE-2019-7940Aug 2, 2019risk 0.00cvss —epss 0.01
A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated…
- CVE-2019-0238Jan 8, 2019risk 0.00cvss —epss 0.01
SAP Commerce (previously known as SAP Hybris Commerce), before version 6.7, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
Page 9 of 9