Oct 21

Adobe patches critical Magento XSS that puts sites at takeover risk

magento-hostingA super-critical vulnerability in Adobe Magento could allow attackers to fully compromise e-commerce platforms, according to the security researcher who found the bug.

Adobe has urged users to update their systems to protect their websites from abuse of the flaw, which has been assigned the maximum possible severity (CVSS) score of 10.

Tracked as CVE-2022-35698, the stored cross-site scripting (XSS) bug can lead to arbitrary code execution, according to an Adobe security advisory published on October 11.

The flaw affects versions 2.4.4-p1 and earlier, as well as 2.4.5 and earlier, of Adobe Commerce and Magento Open Source. The issue has been patched in versions 2.4.5-p1 and 2.4.4-p2.

It’s estimated that around 267,000 active e-commerce websites are built with Magento.

The software update also addresses a medium severity, improper access control vulnerability that might be abused to bypass of a security feature (CVE-2022-35689).