Adobe Security Bulletin

Security update available for Adobe Commerce | APSB22-48

Bulletin ID

Date Published

Priority

APSB22-48

October 11, 2022

3

Summary

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves a critical and medium vulnerability.  Successful exploitation could lead to arbitrary code execution and security feature bypass.

Affected Versions

Product Version Platform
 Adobe Commerce
2.4.4-p1 and earlier versions  
All
2.4.5 and earlier versions  
All
2.4.3-p3 and earlier versions All
Magento Open Source 2.4.4-p1 and earlier versions All
2.4.5 and earlier versions  
All
2.4.3-p3 and earlier versions
All

Note: 

  • 2.4.3-p1 and below 2.4.3-p1 are not affected if all applicable security hotfixes are applied

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

 

 

Product Updated Version Platform Priority Rating Installation Instructions
Adobe Commerce
2.4.5-p1 and 2.4.4-p2 
All
3 2.4.x release notes
Magento Open Source 
2.4.5-p1 and 2.4.4-p2 
All
3
         
Adobe Commerce
2.4.3-p3_Hotfix
All
3 ACSD-47578 patch
Magento Open Source 
2.4.3-p3_Hotfix
All
3

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity Authentication required to exploit? Exploit requires admin privileges?
CVSS base score
CVSS vector
Magento Bug ID CVE number(s)
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Critical No No 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
 PRODSECBUG-3177
CVE-2022-35698
Improper Access Control (CWE-284)
Security feature bypass
Medium Yes No 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
PRODSECBUG-3180
CVE-2022-35689

 

Acknowledgements

Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:

  • Blaklis (blaklis) - CVE-2022-35698

Revisions

October 12th, 2022: Added CVE details for CVE-2022-35689

October 18th, 2022: Added Affected / Fix details for 2.4.3.x

 

Revisions

August 22, 2022: Priority rating revision in Solution table

August 18, 2022: Added CVE-2022-35692

August 12, 2022: Updated values in "Authentication required to exploit" and "Exploit requires admin privileges."

 


For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Get help faster and easier

New user?