ÃÛ¶¹ÊÓƵ Commerce 2.4.3-p2 - 2.4.5 security hotfix for CVE-2022-35698
On October 11, 2022, ÃÛ¶¹ÊÓƵ released regularly scheduled security patches 2.4.5-p1 and 2.4.4-p2 for ÃÛ¶¹ÊÓƵ Commerce and Magento Open Source.
Among these patches is an update that resolves a Cross-site Scripting (Stored XSS) () vulnerability tracked by CVE-2022-35698 rated .
ÃÛ¶¹ÊÓƵ is not aware of any exploits for this issue.
In this article you will find hotfix patches for this issue for the earlier versions of ÃÛ¶¹ÊÓƵ Commerce and Magento Open Source.
Description description
Environment
ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure and on-premises, and Magento Open Source:
- 2.4.5
- 2.4.4, 2.4.4-p1
- 2.4.3-p2, 2.4.3-p3
- 2.3.7-p3, 2.3.7-p4
- 2.4.3-p1 and below 2.4.3-p1 are not affected if all applicable 2.4.x security hotfixes are applied (Please find the list of all security hotfixes applicable for your version ).
- 2.3.7-p2 and below 2.3.7-p2 are not affected if all applicable 2.3.x security hotfixes are applied (Please find the list of all security hotfixes applicable for your version ).
Resolution resolution
Solution for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure and on-premises, and Magento Open Source
To resolve the vulnerability if you are on ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure and on-premises, or Magento Open Source, you must apply ACSD-47578 patch.
Solution for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure and on-premises merchants on 2.3.7-p3 and 2.3.7-p4 versions who purchased our Extended Support offering program
ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure and on-premises merchants on 2.3.7-p3 and 2.3.7-p4 versions who purchased our Extended Support offering program must apply the first extended support 2.3.7 security patch which can be downloaded from the in the My Account/Downloads section.
Solution for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure and on-premises merchants, who are not participating in Extended Support program, and Magento Open Source merchants on versions 2.3.7-p3 and 2.3.7-p4
ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure and on-premises merchants, who are not participating in the Extended Support program, and Magento Open Source merchants on versions 2.3.7-p3 and 2.3.7-p4 must upgrade to a supported 2.4.x version.
Patch
Use the following attached patches, depending on your ÃÛ¶¹ÊÓƵ Commerce/Magento Open Source version:
For versions 2.4.4, 2.4.4-p1, 2.4.5:
For versions 2.4.3-p2, 2.4.3-p3:
How to apply the patch
Unzip the file and see How to apply a composer patch provided by ÃÛ¶¹ÊÓƵ in our support knowledge base for instructions.
How to tell whether the patches have been applied
Considering that it is not possible to easily check if the issue was patched, you might want to check whether the ACSD-47578 patch has been successfully applied.
You can do this by taking the following steps:
- Install the Quality Patches Tool.
- Run the command:
vendor/bin/magento-patches -n status |grep "47578|Status" - You should see output similar to this, where ACSD-47578 returns the Applied status:
║ Id       │ Title                             │ Category     │ Origin         │ Status    │ Details                      ║ ║ N/A      │ ../m2-hotfixes/ACSD-47578__2.4.4_2.4.5_COMPOSER_patch.patch    │ Other      │ Local          │ Applied   │ Patch type: Custom
Security updates
Security updates available for ÃÛ¶¹ÊÓƵ Commerce: