Security updates for Adobe Commerce and Magento Open Source have been released by Adobe.
At the end of this January, Sansec reported a security breach at more than 500 online stores that were running on Magento 1 platform. They also reported that attackers deployed a skimmer at the naturalfreshmall[.]com domain which was loaded by all the servers.
Attackers used a combination of SQL injection and PHP Object Injection for exploiting those Magento stores. Adobe announced the retirement of Magento 1 in June 2020 which most of the servers were running on.
Sansec also reported that attackers have been exploiting the Magento 2 platforms with remote code execution vulnerabilities. Adobe has swiftly acted on this issue and released security patches for Magento and Adobe Commerce merchants.
Versions Affected
Adobe posted that Adobe Commerce 2.3.3 and lower were not affected by this vulnerability.
| Product | Version | Platform |
| Adobe Commerce | 2.4.3-p1 and earlier versions | All |
| 2.3.7-p2 and earlier versions | All | |
| Magento Open Source | 2.4.3-p1 and earlier versions | All |
| 2.3.7-p2 and earlier versions | All |
Vulnerability Details
Category: Improper Input Validation (CWE-20)
Vulnerability Impact: Arbitrary Code Execution
Severity: Critical
Pre-authentication: Yes
Admin Privileges Required: no
CVSS Base score: 9.8
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Magento Bug ID: PRODSECBUG-3118
CVE Number: CVE-2022-24086
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates
