{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T00:50:09.519","vulnerabilities":[{"cve":{"id":"CVE-2023-32694","sourceIdentifier":"security-advisories@github.com","published":"2023-05-25T15:15:09.027","lastModified":"2024-11-21T08:03:52.053","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Saleor Core is a composable, headless commerce API. Saleor's `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-203"},{"lang":"en","value":"CWE-208"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-203"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"2.11.0","versionEndExcluding":"3.7.68","matchCriteriaId":"13E1A87B-FAF4-41F6-8F64-72EB8F535642"},{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8.0","versionEndExcluding":"3.8.40","matchCriteriaId":"2363CBE1-4D08-4712-930A-7FC0029AFECF"},{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9.0","versionEndExcluding":"3.9.49","matchCriteriaId":"F0C39E26-C3BB-4B44-BD18-E011C0AFBCC8"},{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10.0","versionEndExcluding":"3.10.36","matchCriteriaId":"CBF54931-397D-4626-B4CC-CD8C2A916D12"},{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.11.0","versionEndExcluding":"3.11.35","matchCriteriaId":"3380DEFD-93E8-4CC1-B8EC-EBBA19AF2F16"},{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.12.0","versionEndExcluding":"3.12.25","matchCriteriaId":"AC5A2AF4-F9F2-4D98-8118-E04956E49110"},{"vulnerable":true,"criteria":"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13.0","versionEndExcluding":"3.13.16","matchCriteriaId":"258863A8-21DF-4C03-9B10-9C38790E127B"}]}]}],"references":[{"url":"https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}