CVE-2023-29290: 
PHP vulnerability analysis and mitigation

Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier), and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability identified as CVE-2023-29290. The vulnerability was discovered and reported by Pieter Zandbergen, with the initial CVE record being created on April 4, 2023. This security issue could potentially result in a security feature bypass, with the notable characteristic that it doesn't require any user interaction for exploitation (NVD, CVE).

The vulnerability has been classified with a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, and requires no user interaction. The vulnerability is categorized under CWE-353 (Missing Support for Integrity Check) (NVD).

The vulnerability could result in a security feature bypass, allowing an attacker to bypass minor functionality. The impact is primarily focused on integrity with a low severity rating, while there are no direct impacts on confidentiality or availability according to the CVSS scoring (NVD).

Adobe has addressed this vulnerability through security updates. Users of affected versions (Adobe Commerce 2.4.6 and earlier, 2.4.5-p2 and earlier, and 2.4.4-p3 and earlier) should update to the latest version of the software to mitigate this security risk (Adobe Advisory).