HackDig : Dig high-quality web security articles

Critical Magento zero-day flaw CVE-2022-24086 actively exploited

2022-02-14 06:58

Adobe addressed a critical vulnerability (CVE-2022-24086) impacting Magento Open Source products that is being actively exploited in the wild.

Adobe rolled out security updates to address a critical security vulnerability, tracked as CVE-2022-24086, affecting its Commerce and Magento Open Source products that is being actively exploited in the wild.

“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” reads the advisory published by Adobe.

The flaw is an “improper input validation” vulnerability that could be exploited by threat actors with administrative privileges to achieve arbitrary code execution on vulnerable systems.

The CVE-2022-24086 has received a CVSS score of 9.8 out of 10, it is classified as a pre-authentication issue which means that it could be exploited without credentials.   

The vulnerability affects the following versions of the products:

ProductVersionPlatform
 Adobe Commerce2.4.3-p1 and earlier versions  All
2.3.7-p2 and earlier versions  All
Magento Open Source2.4.3-p1 and earlier versions       All
2.3.7-p2 and earlier versionsAll

Adobe Commerce 2.3.3 and lower are not affected by this vulnerability.

Last week, researchers from cybersecurity firm Sansec uncovered a massive Magecart campaign that already compromised more than 500 online stores running the Magento 1 eCommerce platform.

Threat actors behind this campaign deployed a digital skimmer that was being loaded from the naturalfreshmall(.)com domain.

An interesting characteristic of this attack is the combination of SQL injection and PHP object injection to take over the Magento store.

Experts pointed out that Magento 1 platform has reached End-of-Life and that for this reason will no longer receive security updates.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Magento)

The post Critical Magento zero-day flaw CVE-2022-24086 actively exploited appeared first on Security Affairs.


Source: 830#&ssr=ecruos_mtu?lmth.yad-orez-68042-2202-evc/gnikcah/999721/sserpdrow/oc.sriaffaytiruces

“Critical Magento zero-day flaw CVE-2022-24086 actively exploited”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)
Tell me why you support me <3

Tag Cloud