CVE-2022-35698: 
PHP vulnerability analysis and mitigation

Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by a Stored Cross-site Scripting (XSS) vulnerability identified as CVE-2022-35698. The vulnerability was discovered and disclosed on October 11, 2022, affecting multiple versions of Adobe Commerce and Magento Open Source platforms (Adobe Security Bulletin, NVD).

The vulnerability is rated as important with a CVSS v3 Base Score of 5.4 (Medium). The attack vector is network-based, requires low attack complexity, low privileges, and user interaction. The vulnerability has a changed scope with low impact on both confidentiality and integrity, while having no impact on availability (AttackerKB).

Exploitation of this vulnerability could result in post-authentication arbitrary code execution. The vulnerability affects both confidentiality and integrity of the system with low impact, while not affecting system availability (AttackerKB).

Adobe released security patches 2.4.5-p1 and 2.4.4-p2 for Adobe Commerce and Magento Open Source to address this vulnerability. For earlier versions, users must apply the ACSD-47578 patch. Merchants on versions 2.3.7-p3 and 2.3.7-p4 who purchased Extended Support offering program must apply the first extended support 2.3.7 security patch available from the Marketplace portal. Those not participating in Extended Support program must upgrade to a supported 2.4.x version (Adobe Help).