Over the weekend, Adobe released an emergency update to fix a 0-day vulnerability in Magento…
As early as last week, the company warned that this problem was already being abused by hackers, albeit in rare targeted attacks so far. In total, researchers estimate that there are more than 17,000 sites vulnerable to this problem, some of which are owned by large enterprises.
Adobe has now updated the security bulletin for CVE-2022-24086 with a new issue that has the ID CVE-2022-24087 and the same CVSS score. The new problem can also lead to remote code execution and be used in attacks. The company’s specialists have already released additional patches for Adobe Commerce and Magento Open Source.
The discovery of the second critical error (CVE-2022-24087) is attributed to information security researchers known under the pseudonyms Eboda and Blaklis. Moreover, they emphasize that applying only the first patch is not enough.
Interestingly, according to Fabian Schmengler, another information security specialist and certified Magento developer, the latest fix for CVE-2022-24087 (MDVA-43443) breaks the CSS configuration for Template Styles in email templates “because all curly braces are removed to clean up input”. However, he writes that less colourful emails are a good compromise, especially if it allows you not to be exposed to the RCE vulnerability.
In the meantime, Positive Technologies analysts even reported that they had created a working exploit for the original CVE-2022-24086 problem. The researchers report that attackers exploiting this bug can gain “full access to the target system with web server privileges.”
Bleeping Computer, which spoke with experts, says that trying to protect against the exploitation of this bug through the WAF setting can hardly be called a good idea, since the problem can be exploited in several ways that do not imply the presence of “specific and fatal constructs in the request.”
According to Positive Technologies, the development of a full-fledged exploit is a rather difficult task, while the technical details are not available. However, once this hurdle is removed, attacks on vulnerable systems become “reasonably simple and straightforward.”
Recall also that last September Magento-based stores suffered from the biggest attack since 2015.
Yourbrolink3d.com is a domain that tries to trick you into subscribing to its browser notifications…
News-xyeneho.live is a domain that tries to force you into clik to its browser notifications…
Simplejscdn.com is a domain that tries to force you into clik to its browser notifications…
Yourbrolink4d.com is a domain that tries to trick you into clik to its browser notifications…
News-xxajive.xyz is a domain that tries to force you into clik to its browser notifications…
News-xxohuba.xyz is a site that tries to force you into subscribing to its browser notifications…