CVE-2022-34254

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.3-p2 and earlier Adobe Commerce versions 2.3.7-p3 and earlier Adobe Commerce versions 2.4.4 and earlier

Description The issue is related to an Improper Limitation of a Pathname to a Restricted Directory, also known as a Path Traversal vulnerability. This could allow an attacker to inject malicious scripts into the vulnerable endpoint. A low-privileged attacker could exploit this to read local files and perform Stored XSS. Exploitation does not require user interaction. The vulnerability can be exploited by a remote attacker to execute arbitrary code in the context of the current user.

Recommendations For versions 2.4.3-p2 and earlier, update to a version that includes the fix for this issue. For versions 2.3.7-p3 and earlier, update to a version that includes the fix for this issue. For versions 2.4.4 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to sensitive endpoints to minimize the risk of exploitation.