This week, Adobe Team released two security updates - 2.4.4-p2 and 2.4.5-p1. The updates contain the fixes of two vulnerabilities - a critical one and a medium one. Their exploitation might enable arbitrary code execution and the ability to bypass security features.
The first vulnerability belongs to the CWE-79 category. It allows to execution of arbitrary code using cross-site scripting (stored XSS). An attacker isn’t required to have admin permissions and doesn’t have to be authorized at all.
The second vulnerability belongs to CWE-284 and allows bypassing some of the security features. It is less severe than the previous one since it requires the attacker to get authorization. However, admin privileges still aren’t required.
In addition, the Adobe team offered an update for Adobe Commerce 2.4.4, which contains a patch that allows you to continue using DHL as a shipping method on your website. The update is required because DHL will stop supporting schema version 6.0 and move to the recently introduced version 6.2. This change will render the DHL shipping method unusable, so the store owners must take care of this beforehand. Adobe Commerce 2.4.5 and newer don’t require this update since schema version 6.2 is already available.