Headline
CVE-2022-35689: Adobe Security Bulletin
Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user’s minor feature. Exploitation of this issue does not require user interaction.
Security update available for Adobe Commerce | APSB22-48
Bulletin ID
Date Published
Priority
APSB22-48
October 11, 2022
3
Summary
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves a critical and medium vulnerability. Successful exploitation could lead to arbitrary code execution and security feature bypass.
Affected Versions
Product
Version
Platform
Adobe Commerce
2.4.4-p1 and earlier versions
All
2.4.5 and earlier versions
All
Magento Open Source
2.4.4-p1 and earlier versions
All
2.4.5 and earlier versions
All
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product
Updated Version
Platform
Priority Rating
Installation Instructions
Adobe Commerce
2.4.5-p1 and 2.4.4-p2
All
3
2.4.x release notes
Magento Open Source
2.4.5-p1 and 2.4.4-p2
All
3
Vulnerability Details
Vulnerability Category
Vulnerability Impact
Severity
Authentication required to exploit?
Exploit requires admin privileges?
CVSS base score
CVSS vector
Magento Bug ID
CVE number(s)
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Critical
No
No
10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
PRODSECBUG-3177
CVE-2022-35698
Improper Access Control (CWE-284)
Security feature bypass
Medium
Yes
No
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
PRODSECBUG-3180
CVE-2022-35689
Acknowledgements
Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:
- Blaklis (blaklis) - CVE-2022-35698
Revisions
October 12th, 2022: Added CVE details for CVE-2022-35689
Revisions
August 22, 2022: Priority rating revision in Solution table
August 18, 2022: Added CVE-2022-35692
August 12, 2022: Updated values in “Authentication required to exploit” and “Exploit requires admin privileges.”
For more information, visit https://helpx.adobe.com/security.html, or email [email protected].
Related news
E-commerce platform admins should update ASAP
E-commerce platform admins should update ASAP