CVE-2022-34255: 
PHP vulnerability analysis and mitigation

Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier), and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability identified as CVE-2022-34255. The vulnerability was discovered and assigned on June 21, 2022, and could result in privilege escalation. This security flaw allows an attacker with a low-privilege account to perform account takeover attacks against victims, with no user interaction required for exploitation (NVD, CVE Mitre).

The vulnerability is classified as an Improper Access Control issue (CWE-284) and Incorrect Authorization (CWE-863). It received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, low privileges required, no user interaction needed, and high impact on confidentiality, integrity, and availability (NVD).

The vulnerability can lead to privilege escalation and account takeover attacks. When successfully exploited, an attacker with a low-privilege account can gain unauthorized access to victim accounts, potentially compromising the confidentiality, integrity, and availability of the affected systems (NVD).

Adobe has addressed this vulnerability in their security advisory. Users of affected versions should upgrade to the latest version of Adobe Commerce to mitigate this security risk (Adobe Advisory).