Headline
CVE-2022-34257: Adobe Security Bulletin
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Security update available for Adobe Commerce | APSB22-38
Bulletin ID
Date Published
Priority
APSB22-38
August 9, 2022
3
Summary
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, privilege escalation and security feature bypass.
Affected Versions
Product
Version
Platform
Adobe Commerce
2.4.3-p2 and earlier versions
All
2.3.7-p3 and earlier versions
All
Adobe Commerce
2.4.4 and earlier versions
All
Magento Open Source
2.4.3-p2 and earlier versions
All
2.3.7-p3 and earlier versions
All
Magento Open Source
2.4.4 and earlier versions
All
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product
Updated Version
Platform
Priority Rating
Installation Instructions
Adobe Commerce
2.3.7-p4, 2.4.3-p3, 2.4.4-p1, 2.4.5
All
1
2.4.x release notes
2.3.x release notes
Magento Open Source
2.3.7-p4, 2.4.3-p3, 2.4.4-p1, 2.4.5
All
1
Vulnerability Details
Vulnerability Category
Vulnerability Impact
Severity
Authentication required to exploit?
Exploit requires admin privileges?
CVSS base score
CVSS vector
Magento Bug ID
CVE number(s)
XML Injection (aka Blind XPath Injection) (CWE-91)
Arbitrary code execution
Critical
Yes
Yes
9.1
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
PRODSECBUG-3095
CVE-2022-34253
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CWE-22)
Arbitrary code execution
Critical
Yes
No
8.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
PRODSECBUG-3081
CVE-2022-34254
Improper Input Validation (CWE-20)
Privilege escalation
Critical
Yes
No
8.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
PRODSECBUG-3082
CVE-2022-34255
Improper Authorization (CWE-285)
Privilege escalation
Critical
No
No
8.2
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
PRODSECBUG-3093
CVE-2022-34256
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Important
No
No
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
PRODSECBUG-3079
CVE-2022-34257
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Moderate
Yes
Yes
3.5
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
PRODSECBUG-3080
CVE-2022-34258
Improper Access Control (CWE-284)
Security feature bypass
Important
No
No
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
PRODSECBUG-3180
CVE-2022-34259
Acknowledgements
Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:
zb3 (zb3) – CVE-2022-34253, CVE-2022-34255, CVE-2022-34256
Edgar Boda-Majer (eboda) - CVE-2022-34254, CVE-2022-34257
Salman Khan (salmanbabuzai) - CVE-2022-34258
Axel Flamcourt (axfla) - CVE-2022-34259
Revisions
August 12, 2022: Updated values in “Authentication required to exploit” and “Exploit requires admin privileges.”
For more information, visit https://helpx.adobe.com/security.html, or email [email protected].