Adobe Commerce 2.4.3-p2 - 2.4.5 security hotfix for CVE-2022-35698

On October 11, 2022, Adobe released regularly scheduled security patches 2.4.5-p1 and 2.4.4-p2 for Adobe Commerce and Magento Open Source.

Among these patches is an update that resolves a Cross-site Scripting (Stored XSS) (CWE-79) vulnerability tracked by CVE-2022-35698 rated important.

Adobe is not aware of any exploits for this issue.

In this article you will find hotfix patches for this issue for the earlier versions of Adobe Commerce and Magento Open Source.

Affected products and versions

Adobe Commerce on cloud infrastructure and on-premises, and Magento Open Source:

  • 2.4.5
  • 2.4.4, 2.4.4-p1
  • 2.4.3-p2, 2.4.3-p3
  • 2.3.7-p3, 2.3.7-p4
  • 2.4.3-p1 and below 2.4.3-p1 are not affected if all applicable 2.4.x security hotfixes are applied (Please find the list of all security hotfixes applicable for your version here.).
  • 2.3.7-p2 and below 2.3.7-p2 are not affected if all applicable 2.3.x security hotfixes are applied (Please find the list of all security hotfixes applicable for your version here.).

Solution for Adobe Commerce on cloud infrastructure and on-premises, and Magento Open Source

To resolve the vulnerability if you are on Adobe Commerce on cloud infrastructure and on-premises, or Magento Open Source, you must apply ACSD-47578 patch.

Solution for Adobe Commerce on cloud infrastructure and on-premises merchants on 2.3.7-p3 and 2.3.7-p4 versions who purchased our Extended Support offering program

Adobe Commerce on cloud infrastructure and on-premises merchants on 2.3.7-p3 and 2.3.7-p4 versions who purchased our Extended Support offering program must apply the first extended support 2.3.7 security patch which can be downloaded from the Marketplace portal in the My Account/Downloads section.

Solution for Adobe Commerce on cloud infrastructure and on-premises merchants, who are not participating in Extended Support program, and Magento Open Source merchants on versions 2.3.7-p3 and 2.3.7-p4

Adobe Commerce on cloud infrastructure and on-premises merchants, who are not participating in the Extended Support program, and Magento Open Source merchants on versions 2.3.7-p3 and 2.3.7-p4 must upgrade to a supported 2.4.x version.

Patch

Use the following attached patches, depending on your Adobe Commerce/Magento Open Source version:

For versions 2.4.4, 2.4.4-p1, 2.4.5:

For versions 2.4.3-p2, 2.4.3-p3:

How to apply the patch

Unzip the file and see How to apply a composer patch provided by Adobe in our support knowledge base for instructions.

How to tell whether the patches have been applied

Considering that it is not possible to easily check if the issue was patched, you might want to check whether the ACSD-47578 patch has been successfully applied.

You can do this by taking the following steps:

  1. Install the Quality Patches Tool.

  2. Run the command:

    code language-bash
    vendor/bin/magento-patches -n status |grep "47578|Status"
    
  3. You should see output similar to this, where ACSD-47578 returns the  Applied  status:

    code language-bash
    ║ Id            │ Title                                                        │ Category        │ Origin                 │ Status      │ Details                                          ║ ║ N/A           │ ../m2-hotfixes/ACSD-47578__2.4.4_2.4.5_COMPOSER_patch.patch      │ Other           │ Local                  │ Applied     │ Patch type: Custom
    

Security updates

Security updates available for Adobe Commerce:

recommendation-more-help
8bd06ef0-b3d5-4137-b74e-d7b00485808a