Security updates for Adobe Commerce and Magento Open Source have been released by Adobe.
At the end of this January, Sansec reported a security breach at more than 500 online stores that were running on Magento 1 platform. They also reported that attackers deployed a skimmer at the naturalfreshmall[.]com domain which was loaded by all the servers.
Attackers used a combination of SQL injection and PHP Object Injection for exploiting those Magento stores. Adobe announced the retirement of Magento 1 in June 2020 which most of the servers were running on.
Sansec also reported that attackers have been exploiting the Magento 2 platforms with remote code execution vulnerabilities. Adobe has swiftly acted on this issue and released security patches for Magento and Adobe Commerce merchants.
Adobe posted that Adobe Commerce 2.3.3 and lower were not affected by this vulnerability.
Product | Version | Platform |
Adobe Commerce | 2.4.3-p1 and earlier versions | All |
2.3.7-p2 and earlier versions | All | |
Magento Open Source | 2.4.3-p1 and earlier versions | All |
2.3.7-p2 and earlier versions | All |
Category: Improper Input Validation (CWE-20)
Vulnerability Impact: Arbitrary Code Execution
Severity: Critical
Pre-authentication: Yes
Admin Privileges Required: no
CVSS Base score: 9.8
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Magento Bug ID: PRODSECBUG-3118
CVE Number: CVE-2022-24086
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates
A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…
Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…
An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…
A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…
The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…
NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…