CMS Magento developers prepared a patch that fixes a 10-point RCE vulnerability in the e-commerce…
0-day has been identified as CVE-2022-24086 (CVSS 9.8 out of 10) and it is a bug that allows remote arbitrary code execution without authentication. According to Adobe, the root of the problem was incorrect input validation.
All sites and resources running Adobe Commerce and Magento Open Source versions 2.4.3-p1 and 2.3.7-p2 and below are considered vulnerable, and their administrators are advised to upgrade as soon as possible. It emphasizes that sites running Adobe Commerce 2.3.3 and earlier are not affected by the vulnerability.
It is noted that resource operators using Magento 2 (versions 2.3.3 to 2.3.7) can install the released patch manually, since this process requires changing only a few lines.
In a security bulletin, the company describes the attacks associated with this bug as “very limited” and related to Adobe Commerce, that is, the mass exploitation of the problem has not begun yet.
It is not yet clear how difficult it is to exploit CVE-2022-24086, but it appears to be a difficult process. Bleeping Computer quotes cybersecurity expert Willem de Groot, founder and managing director of Sansec, as saying that he has not yet seen the full chain of remote code execution attacks, indicating that “this is not a trivial exploit.”
You might also be interested to know that IS experts discovered a connection between North Korean hackers and MageCart attacks.
Kurlibat.xyz is a site that tries to trick you into clik to its browser notifications…
Initiateintenselyrenewedthe-file.top is a domain that tries to trick you into clik to its browser notifications…
Wotigorn.xyz is a site that tries to force you into subscribing to its browser notifications…
Initiateintenselyprogressivethe-file.top is a domain that tries to force you into clik to its browser notifications…
Nuesobatoxylors.co.in is a domain that tries to trick you into subscribing to its browser notifications…
Helistym.xyz is a site that tries to force you into clik to its browser notifications…