On October 11, 2022, Adobe released regularly scheduled security patches 2.4.5-p1 and 2.4.4-p2 for Adobe Commerce and Magento Open Source.
Among these patches is an update that resolves a Cross-site Scripting (Stored XSS) (CWE-79) vulnerability tracked by CVE-2022-35698 rated important.
Adobe is not aware of any exploits for this issue.
In this article you will find hotfix patches for this issue for the earlier versions of Adobe Commerce and Magento Open Source.
Adobe Commerce on cloud infrastructure and on-premises, and Magento Open Source:
To resolve the vulnerability if you are on Adobe Commerce on cloud infrastructure and on-premises, or Magento Open Source, you must apply ACSD-47578 patch.
Adobe Commerce on cloud infrastructure and on-premises merchants on 2.3.7-p3 and 2.3.7-p4 versions who purchased our Extended Support offering program must apply the first extended support 2.3.7 security patch which can be downloaded from the Marketplace portal in the
My Account/Downloads section.
Adobe Commerce on cloud infrastructure and on-premises merchants, who are not participating in the Extended Support program, and Magento Open Source merchants on versions 2.3.7-p3 and 2.3.7-p4 must upgrade to a supported 2.4.x version.
Use the following attached patches, depending on your Adobe Commerce/Magento Open Source version:
Unzip the file and see How to apply a composer patch provided by Adobe in our support knowledge base for instructions.
Considering that it is not possible to easily check if the issue was patched, you might want to check whether the ACSD-47578 patch has been successfully applied.
You can do this by taking the following steps:
Run the command:
vendor/bin/magento-patches -n status |grep "47578|Status"
You should see output similar to this, where ACSD-47578 returns the Applied status:
║ Id │ Title │ Category │ Origin │ Status │ Details ║ ║ N/A │ ../m2-hotfixes/ACSD-47578__2.4.4_2.4.5_COMPOSER_patch.patch │ Other │ Local │ Applied │ Patch type: Custom
Security updates available for Adobe Commerce: