CVE-2023-4663 Adobe CVE debrief

Who should care

Administrators and security teams responsible for Connect deployments should care, especially if users access public-facing pages or links that reflect request input. End users may also be affected if they are likely to click crafted links to affected pages.

Technical summary

The supplied record maps CVE-2023-4663 to a reflected XSS condition in Connect. NVD lists the vulnerable CPE as adobe:connect:* with an upper bound before 9.0, and the CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. That means the issue is remotely reachable, does not require authentication, but does require a victim to interact with a crafted request or link. The effect is script execution in the browser context of the affected application, with limited confidentiality and integrity impact and no availability impact in the supplied scoring.

Defensive priority

Medium

Recommended defensive actions

• Upgrade Connect to a version at or above the first fixed release indicated by the vendor/NVD boundary (version 9.0 or later, per the supplied record).
• Review any pages or parameters that reflect user-controlled input into HTML and ensure output encoding is applied consistently.
• Validate that temporary mitigations, such as web application filtering or strict input handling at the edge, do not break legitimate workflows.
• Prioritize user-facing entry points, invitation links, and login or redirect flows that can carry reflected parameters.
• Monitor for reports of suspicious links or browser-side script execution attempts against the application.

Evidence notes

The supplied official sources show CVE publication on 2023-09-15 and a later NVD modification on 2026-05-21. NVD identifies the weakness as CWE-79 with a secondary CWE-80 mapping in a third-party advisory, and the vulnerable CPE is adobe:connect:* with versionEndExcluding 9.0. The record is not marked as KEV in the supplied data.

Official resources