Adobe Commerce 2.4.3-p2 - 2.4.5 security hotfix for CVE-2022-35698
On October 11, 2022, Adobe released regularly scheduled security patches 2.4.5-p1 and 2.4.4-p2 for Adobe Commerce and Magento Open Source.
Among these patches is an update that resolves a Cross-site Scripting (Stored XSS) (CWE-79) vulnerability tracked by CVE-2022-35698 rated important.
Adobe is not aware of any exploits for this issue.
In this article you will find hotfix patches for this issue for the earlier versions of Adobe Commerce and Magento Open Source.
Affected products and versions
Adobe Commerce on cloud infrastructure and on-premises, and Magento Open Source:
- 2.4.5
- 2.4.4, 2.4.4-p1
- 2.4.3-p2, 2.4.3-p3
- 2.3.7-p3, 2.3.7-p4
- 2.4.3-p1 and below 2.4.3-p1 are not affected if all applicable 2.4.x security hotfixes are applied (Please find the list of all security hotfixes applicable for your version here.).
- 2.3.7-p2 and below 2.3.7-p2 are not affected if all applicable 2.3.x security hotfixes are applied (Please find the list of all security hotfixes applicable for your version here.).
Solution for Adobe Commerce on cloud infrastructure and on-premises, and Magento Open Source
To resolve the vulnerability if you are on Adobe Commerce on cloud infrastructure and on-premises, or Magento Open Source, you must apply ACSD-47578 patch.
Solution for Adobe Commerce on cloud infrastructure and on-premises merchants on 2.3.7-p3 and 2.3.7-p4 versions who purchased our Extended Support offering program
Adobe Commerce on cloud infrastructure and on-premises merchants on 2.3.7-p3 and 2.3.7-p4 versions who purchased our Extended Support offering program must apply the first extended support 2.3.7 security patch which can be downloaded from the Marketplace portal in the My Account/Downloads
section.
Solution for Adobe Commerce on cloud infrastructure and on-premises merchants, who are not participating in Extended Support program, and Magento Open Source merchants on versions 2.3.7-p3 and 2.3.7-p4
Adobe Commerce on cloud infrastructure and on-premises merchants, who are not participating in the Extended Support program, and Magento Open Source merchants on versions 2.3.7-p3 and 2.3.7-p4 must upgrade to a supported 2.4.x version.
Patch
Use the following attached patches, depending on your Adobe Commerce/Magento Open Source version:
For versions 2.4.4, 2.4.4-p1, 2.4.5:
For versions 2.4.3-p2, 2.4.3-p3:
How to apply the patch
Unzip the file and see How to apply a composer patch provided by Adobe in our support knowledge base for instructions.
How to tell whether the patches have been applied
Considering that it is not possible to easily check if the issue was patched, you might want to check whether the ACSD-47578 patch has been successfully applied.
You can do this by taking the following steps:
-
Run the command:
code language-bash vendor/bin/magento-patches -n status |grep "47578|Status"
-
You should see output similar to this, where ACSD-47578 returns the Applied status:
code language-bash ║ Id │ Title │ Category │ Origin │ Status │ Details ║ ║ N/A │ ../m2-hotfixes/ACSD-47578__2.4.4_2.4.5_COMPOSER_patch.patch │ Other │ Local │ Applied │ Patch type: Custom
Security updates
Security updates available for Adobe Commerce: