• Perspective
Published on 25 February 2022

Vulnerabilities on Magento, patch your servers as soon as possible!

Adobe on Sunday issued patches to contain a critical security vulnerability affecting its Commerce and Magento open source products, which the company says is being actively exploited in the wild.

Identified as CVE-2022-24086, the flaw has a CVSS score of 9.8 out of 10 in the vulnerability scoring system and has been characterised as an "improper input validation" issue that could be exploited to obtain arbitrary code execution.

It is also a flaw that does not require credentials. In addition, the California-based company noted that the vulnerability can be exploited by an attacker without administrative privileges.

The flaw affects Adobe Commerce and Magento Open Source. The other Magento Open Source vulnerability has been listed as CVE-2022-24087, but no evidence of exploitation in the wild or public proof of concept has been listed.

Summary table of affected versions. Adobe Commerce 2.3.3 and earlier versions are not affected.

E-commerce sites are among the top targets on the Internet today, as once they are compromised, they can be infected with malware that steals buyers' payment card data.

According to a new report published this month by Microsoft's RiskIQ, 165 unique command and control servers used by known Magecart threat actors were detected in January 2022, some of which include compromised legitimate domains.

These types of attacks, known as "web skimmers" or Magecart attacks, have been occurring since 2016, and they don't seem to be stopping anytime soon.

Just last week, e-commerce security firm Sansec reported a campaign that infected over 350

Tweet from Sansec

The company has been working on fixing the bug on Magento. The following points should be taken into consideration:

  • If you are using Magento 2.3 or 2.4, install the Adobe custom patch as soon as possible.
  • If you are using a version of Magento 2 between 2.3.3 and 2.3.7, you should be able to apply the patch manually, as it only affects a few lines.

    Sansec noted on Monday that the bug was discovered on January 27, and that "this vulnerability has a similar severity to the Magento Shoplift vulnerability from 2015. At the time, almost every unpatched Magento shop in the world was compromised within days of the exploit's release."

    Researchers detailed the update procedure:

Tweet detailing the update procedure

The update is important for online merchants: the Magecart group is known to target unpatched versions of Magento in particular, looking for a way to install credit card extraction devices on the payment pages of e-commerce sites.

A public proof of concept has appeared on GitHub. Operation is trivial and only requires a web request. We can't say it enough, update your applications!

Article written by
La Minute Cyber