Security updates for Adobe Commerce and Magento Open Source have been released by Adobe.
At the end of this January, Sansec reported a security breach at more than 500 online stores that were running on Magento 1 platform. They also reported that attackers deployed a skimmer at the naturalfreshmall[.]com domain which was loaded by all the servers.
Attackers used a combination of SQL injection and PHP Object Injection for exploiting those Magento stores. Adobe announced the retirement of Magento 1 in June 2020 which most of the servers were running on.
Sansec also reported that attackers have been exploiting the Magento 2 platforms with remote code execution vulnerabilities. Adobe has swiftly acted on this issue and released security patches for Magento and Adobe Commerce merchants.
Adobe posted that Adobe Commerce 2.3.3 and lower were not affected by this vulnerability.
Product | Version | Platform |
Adobe Commerce | 2.4.3-p1 and earlier versions | All |
2.3.7-p2 and earlier versions | All | |
Magento Open Source | 2.4.3-p1 and earlier versions | All |
2.3.7-p2 and earlier versions | All |
Category: Improper Input Validation (CWE-20)
Vulnerability Impact: Arbitrary Code Execution
Severity: Critical
Pre-authentication: Yes
Admin Privileges Required: no
CVSS Base score: 9.8
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Magento Bug ID: PRODSECBUG-3118
CVE Number: CVE-2022-24086
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates
Infected websites mimic legitimate human verification prompts (CAPTCHAs) to trick users, who often request seemingly innocuous clicks, resembling past CAPTCHA…
An emerging threat leverages Microsoft's Graph API to facilitate command-and-control (C&C) communications through Microsoft cloud services. Recently, security analysts at…
Apache ActiveMQ is a Java based communication management tool for communicating with multiple components in a server. It is an…
In the latest edition of Verizon's Data Breach Investigations Report (DBIR) for 2024, a concerning trend has been highlighted, a…
The United States government has issued a stark warning about a new wave of social engineering attacks orchestrated by North…
Cisco has disclosed multiple vulnerabilities in its IP Phone firmware that could severely impact users by allowing unauthenticated, remote attackers…