CVE-2022-34258

MEDIUM severity · CVSS 4.8 · Cross-site scripting (XSS)

4.8CVSS MEDIUM

Summary

Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker with admin privileges to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredHigh

User interactionRequired

Confidentiality impactLow

Integrity impactLow

Availability impactNone

Exploit probability (EPSS)16%

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Affected products we track (1)

Magento

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://helpx.adobe.com/security/products/magento/apsb22-38.htmlAdvisory
https://helpx.adobe.com/security/products/magento/apsb22-38.htmlAdvisory