10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-35698

GHSA ID

GHSA-4vj2-426r-jm3g

EPSS Score

0.90682%

CWE

CWE-79

Published

10/15/2022

Updated

3/4/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-35698

CVE-2022-35698: Magento Open Source allows Stored Cross-Site Scripting (Stored XSS)

Adobe Commerce versions 2.4.3-p3 (and earlier), 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by a Stored Cross-site Scripting vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.

(GitHub Advisory)

10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-35698

GHSA ID

GHSA-4vj2-426r-jm3g

EPSS Score

0.90682%

CWE

CWE-79

Published

10/15/2022

Updated

3/4/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions
magento/community-edition	composer	= 2.4.4-p1
magento/community-edition	composer	= 2.4.4
magento/community-edition	composer	= 2.4.5
magento/community-edition	composer	>= 2.4.3-p1, <= 2.4.3-p3
magento/community-edition	composer	= 2.4.3
magento/project-community-edition	composer	<= 2.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability information describes a Stored XSS issue (CWE-79) but does not include specific code examples, commit diffs, or patch details that would allow identification of exact vulnerable functions. While the advisory indicates the vulnerability involves improper input neutralization during web page generation, Magento's architecture contains multiple layers where this could occur (e.g., controllers handling user input, template rendering functions, or data persistence layers). However, without concrete evidence from code changes or vendor-supplied technical details about the vulnerability mechanism, we cannot confidently specify particular functions or file paths. The post-authentication requirement suggests the vulnerability might exist in admin panel functionality, but this remains speculative without further technical documentation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**o** *omm*r** v*rsions *.*.*-p* (*n* **rli*r), *.*.*-p* (*n* **rli*r) *n* *.*.* (*n* **rli*r) *r* *****t** *y * Stor** *ross-sit* S*riptin* vuln*r**ility. *xploit*tion o* t*is issu* *o*s not r*quir* us*r int*r**tion *n* *oul* r*sult in * post-*ut**n

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s * Stor** XSS issu* (*W*-**) *ut *o*s not in*lu** sp**i*i* *o** *x*mpl*s, *ommit *i**s, or p*t** **t*ils t**t woul* *llow i**nti*i**tion o* *x**t vuln*r**l* *un*tions. W*il* t** **visory in*i**t*s t** v

10

Basic Information

Concerned about an active attack path?

CVE-2022-35698: Magento Open Source allows Stored Cross-Site Scripting (Stored XSS)

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI