4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29288

GHSA ID

GHSA-f989-3fp9-q3r2

EPSS Score

0.4053%

CWE

CWE-863

Published

6/15/2023

Updated

3/4/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-29288

CVE-2023-29288: Magento Open Source allows Incorrect Authorization

Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user interaction.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29288

GHSA ID

GHSA-f989-3fp9-q3r2

EPSS Score

0.4053%

CWE

CWE-863

Published

6/15/2023

Updated

3/4/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	= 2.4.6
magento/community-edition	composer	>= 2.4.5-p1, < 2.4.5-p3	2.4.5-p3
magento/community-edition	composer	>= 2.4.4-p1, < 2.4.4-p4	2.4.4-p4
magento/community-edition	composer	= 2.4.4
magento/community-edition	composer	= 2.4.5
magento/project-community-edition	composer	<= 2.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability information (CVE-2023-29288) describes an Incorrect Authorization issue but does not include specific code examples, commit diffs, or patch details. The GitHub Advisory and NVD entry reference general authorization flaws in Adobe Commerce versions but do not explicitly name functions or files. Without concrete evidence of the vulnerable code paths (e.g., controller actions, API endpoints, or ACL checks), it is impossible to identify specific functions with high confidence. The lack of GitHub patch/commit data further limits the ability to isolate the exact vulnerable functions. The vulnerability likely stems from missing or flawed authorization checks in privileged workflows, but the absence of implementation details prevents precise identification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**o** *omm*r** v*rsions *.*.* (*n* **rli*r), *.*.*-p* (*n* **rli*r) *n* *.*.*-p* (*n* **rli*r) *r* *****t** *y *n In*orr**t *ut*oriz*tion vuln*r**ility t**t *oul* r*sult in * s**urity ***tur* *yp*ss. * privil**** *tt**k*r *oul* l*v*r*** t*is vuln*r**

Reasoning

T** provi*** vuln*r**ility in*orm*tion (*V*-****-*****) **s*ri**s *n In*orr**t *ut*oriz*tion issu* *ut *o*s not in*lu** sp**i*i* *o** *x*mpl*s, *ommit *i**s, or p*t** **t*ils. T** *it*u* **visory *n* NV* *ntry r***r*n** **n*r*l *ut*oriz*tion *l*ws in

4.3

Basic Information

Concerned about an active attack path?

CVE-2023-29288: Magento Open Source allows Incorrect Authorization

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI