Bulletin ID
Security update available for Adobe Commerce | APSB22-48
|
Date Published |
Priority |
---|---|---|
APSB22-48 |
October 11, 2022 |
3 |
Summary
Affected Versions
Product | Version | Platform |
---|---|---|
Adobe Commerce |
2.4.4-p1 and earlier versions |
All |
2.4.5 and earlier versions |
All |
|
2.4.3-p3 and earlier versions | All | |
Magento Open Source | 2.4.4-p1 and earlier versions | All |
2.4.5 and earlier versions |
All |
|
2.4.3-p3 and earlier versions |
All |
Note:
- 2.4.3-p1 and below 2.4.3-p1 are not affected if all applicable security hotfixes are applied
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product | Updated Version | Platform | Priority Rating | Installation Instructions |
---|---|---|---|---|
Adobe Commerce |
2.4.5-p1 and 2.4.4-p2 |
All |
3 | 2.4.x release notes |
Magento Open Source |
2.4.5-p1 and 2.4.4-p2 |
All |
3 | |
Adobe Commerce |
2.4.3-p3_Hotfix |
All |
3 | ACSD-47578 patch |
Magento Open Source |
2.4.3-p3_Hotfix |
All |
3 |
Vulnerability Details
Vulnerability Category | Vulnerability Impact | Severity | Authentication required to exploit? | Exploit requires admin privileges? |
CVSS base score |
CVSS vector |
Magento Bug ID | CVE number(s) |
---|---|---|---|---|---|---|---|---|
Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Critical | No | No | 10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
PRODSECBUG-3177 |
CVE-2022-35698 |
Improper Access Control (CWE-284) |
Security feature bypass |
Medium | Yes | No | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
PRODSECBUG-3180 |
CVE-2022-35689 |
Acknowledgements
Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:
- Blaklis (blaklis) - CVE-2022-35698
Revisions
October 12th, 2022: Added CVE details for CVE-2022-35689
October 18th, 2022: Added Affected / Fix details for 2.4.3.x
Revisions
August 22, 2022: Priority rating revision in Solution table
August 18, 2022: Added CVE-2022-35692
August 12, 2022: Updated values in "Authentication required to exploit" and "Exploit requires admin privileges."
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.