9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Adobe has released an emergency advisory for users of its Commerce and Magento platforms. It explains that a critical zero-day vulnerability is actively being exploited in attacks against sites that use these two content management system (CMSs). Users should apply the patch as soon as possible.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability has been assigned CVE-2022-24086.
The flaw is described as an improper input validation vulnerability which could lead to arbitrary code execution. The vulnerability is exploitable without credentials and is rated as critical. It has been rated with a CVSS score of 9.8 out of 10.
A remote and unauthorized attacker can send a malicious request to the application and execute arbitrary code on the target server. Successful exploitation of this vulnerability may result in complete compromise of the affected system.
Adobe says its own security team discovered the flaw but it is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks. No other information has been provided about the vulnerability to limit the possibility of further exploitation.
Needless to say, if you operate one of the affected products, patch now.
Magento is an Adobe company that offers a hosted and self-hosted CMS for web shops. The free version of Magento is open source which offers users the option to make their own changes and allows developers to create extensions for the CMS.
The vulnerability affects Adobe Commerce and Magento Open Source 2.4.3-p1 and earlier versions, as well as 2.3.7-p2 and earlier versions.
Only recently we published a blog about a new Magecart campaign which was aimed at Magento sites, but that campaign primarily targeted the Magento 1 version of the CMS which has reached end-of-life (EOL) and has not been supported since June 30, 2020. Were Magecart to get its hands on this vulnerability, that would raise the number of potential targets by hundreds of thousands.
We have written an extensive post about how to defend your website against skimmers, but in summary, here’s what you need to do to keep your site safe:
Unzip the relevant file which you can select here and follow the instructions in how to apply a composer patch provided by Adobe.
Stay safe, everyone!
The post Adobe patches actively exploited Magento/Adobe Commerce zero-day appeared first on Malwarebytes Labs.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C