Security updates for Adobe Commerce and Magento Open Source have been released by Adobe.
At the end of this January, Sansec reported a security breach at more than 500 online stores that were running on Magento 1 platform. They also reported that attackers deployed a skimmer at the naturalfreshmall[.]com domain which was loaded by all the servers.
Attackers used a combination of SQL injection and PHP Object Injection for exploiting those Magento stores. Adobe announced the retirement of Magento 1 in June 2020 which most of the servers were running on.
Sansec also reported that attackers have been exploiting the Magento 2 platforms with remote code execution vulnerabilities. Adobe has swiftly acted on this issue and released security patches for Magento and Adobe Commerce merchants.
Adobe posted that Adobe Commerce 2.3.3 and lower were not affected by this vulnerability.
Product | Version | Platform |
Adobe Commerce | 2.4.3-p1 and earlier versions | All |
2.3.7-p2 and earlier versions | All | |
Magento Open Source | 2.4.3-p1 and earlier versions | All |
2.3.7-p2 and earlier versions | All |
Category: Improper Input Validation (CWE-20)
Vulnerability Impact: Arbitrary Code Execution
Severity: Critical
Pre-authentication: Yes
Admin Privileges Required: no
CVSS Base score: 9.8
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Magento Bug ID: PRODSECBUG-3118
CVE Number: CVE-2022-24086
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates
Cybercriminals are intensifying their efforts to undermine multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) attacks, leveraging…
A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term…
StealC, a notorious information stealer and malware downloader first sold in January 2023, has rolled…
Cybersecurity researchers at Bitdefender have identified a significant uptick in subscription-based scams, characterized by an…
SocGholish, a notorious loader malware, has evolved into a critical tool for cybercriminals, often delivering…
Cybersecurity researchers uncovered a sophisticated supply chain attack targeting the Go programming language ecosystem in…