CVE-2023-26366: 
PHP vulnerability analysis and mitigation

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier), and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability. The vulnerability was discovered by security researcher Sebastien Cantos (truff) and was publicly disclosed on October 13, 2023 (Adobe Advisory).

The vulnerability is classified as a Server-Side Request Forgery (SSRF) issue (CWE-918) that could potentially lead to arbitrary file system read. The vulnerability has been assigned a CVSS v3.1 base score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and requiring high privileges (NVD).

The vulnerability allows an authenticated attacker with high privileges to force the application to make arbitrary requests through URL injection. The scope is changed due to the ability to enforce file read operations outside the application's path boundary. The impact primarily affects the confidentiality of the system, with no direct impact on integrity or availability (NVD).

Adobe has released security updates to address this vulnerability. Users are advised to update their Adobe Commerce installations to the latest available version that includes the security fix (Adobe Advisory).