October 2022 Security Cycle: 2.4.5-p1+

On 11 October 2022 Adobe issued a coordinated set of security updates across supported version lines, including 2.4.5-p1 and 2.4.4-p2, detailed in APSB22-48. This cycle addressed several vulnerabilities, notably a critical Stored XSS (CVE-2022-35698) with a CVSS base score of 10.0, as well as other access-control issues. For teams operating multiple stores or environments, the watchword was discipline: patch promptly, validate extensions and follow through with regression tests that prioritise payment and admin security.

Why it mattered: Stored XSS can enable arbitrary JavaScript execution within the browser context, creating a pathway to credential theft or account takeover in weakly configured admin panels. While well-configured CSP and 2FA reduce exposure, the safest posture is always to remove the underlying vulnerability with vendor patches.

Adobe also published an additional hotfix path for specific earlier releases impacted by CVE-2022-35698. Estates with a mixture of versions (for example, long-running integration environments) needed to apply the correct remediation for each line, or, ideally, bring those environments forward so there is a single, clearly documented patch procedure.

Practical steps we recommend:

• Apply the appropriate p-line for your family (2.4.5-p1 or 2.4.4-p2) and confirm the admin loads safely with expected CSP headers.
• Check whether the standalone CVE-2022-35698 hotfix is required for any non-standard environments; if so, plan and apply before the next sprint starts.
• Regression test payment methods, checkout, and order placement; verify webhooks and asynchronous payment flows still succeed.
• Validate WAF rules and CSP allowlists so newly versioned assets are not blocked; update integrity hashes where used.
• Engage extension vendors: confirm compatibility declarations and scan release notes for any post-patch fixes.

The bigger lesson from October 2022 was operational: security is a cadence, not a crisis. Establish a quarterly patch window, keep lower environments in near lockstep with production, and invest in a lean automated test pack that catches the issues that matter. The result is faster, safer rollouts and fewer surprises.