Warning: Critical vulnerability in Magento and Adobe Commerce
CVE-2022-35698 - CVSS: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sources
Risks
Adobe has released a security update for Magento Open Source (previously known as Magento Commerce) and Adobe Commerce. This update resolves a critical vulnerability. Successful exploitation could lead to arbitrary code execution.
The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. This report has instructions to help your organization.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
Description
A remote attacker can use the disclosed vulnerability to launch cross-site scripting (XSS) attacks.
The vulnerability exists as a result of inadequate sanitization of user-supplied data. In the context of a vulnerable website, a remote attacker can permanently inject and execute arbitrary HTML and script code in the user's browser.
A remote attacker who successfully exploits this vulnerability may be able to steal potentially sensitive information, change the appearance of the web page, and conduct phishing and drive-by-download attacks.
Recommended Actions
The CCB recommends installing updates for vulnerable software with the highest priority, after thorough testing.Detailed instructions can be found on: Adobe security advisory.
References