www.belgium.be Logo of the federal government

Warning: Critical vulnerability in Magento and Adobe Commerce

Advisory #2022-30
Affected software: 
Adobe Commerce versions lower than 2.4.4-p1
Adobe Commerce versions lower than 2.4.5
Magento Open Source versions lower than 2.4.4-p1
Magento Open Source lower than 2.4.5)
Arbitrary code execution

CVE-2022-35698 - CVSS: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


Adobe security advisory


Adobe has released a security update for Magento Open Source (previously known as Magento Commerce) and Adobe Commerce. This update resolves a critical vulnerability.  Successful exploitation could lead to arbitrary code execution.

The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. This report has instructions to help your organization.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident


A remote attacker can use the disclosed vulnerability to launch cross-site scripting (XSS) attacks.

The vulnerability exists as a result of inadequate sanitization of user-supplied data. In the context of a vulnerable website, a remote attacker can permanently inject and execute arbitrary HTML and script code in the user's browser.

A remote attacker who successfully exploits this vulnerability may be able to steal potentially sensitive information, change the appearance of the web page, and conduct phishing and drive-by-download attacks.

Recommended Actions

The CCB recommends installing updates for vulnerable software with the highest priority, after thorough testing.Detailed instructions can be found on: Adobe security advisory.