Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability

guest · Jan 18, 2023

By Ionut Arghire - January 18, 2023

Vendors and agencies are actively bypassing the security patch that Adobe released in February 2022 to address CVE-2022-24086, a critical mail template vulnerability in Adobe Commerce and Magento stores, ecommerce security firm Sansec warns.
Click to expand...

The CVE-2022-24086 bug (CVSS score of 9.8) is described as an improper input validation bug in the checkout process. It could be exploited to achieve arbitrary code execution, with in-the-wild exploitation observed roughly one week after patches were made available for it.

The initial fixes were found to be easily bypassed, and Adobe issued a second round of patches and a new CVE identifier (CVE-2022-24087) for the bug only days later. A proof-of-concept (PoC) exploit targeting the flaw was released around the same time.
Click to expand...

To address the vulnerability, Adobe removed 'smart' mail templates and replaced the old mail template variable resolver with a new one, to prevent potential injection attacks.

However, the move caught many vendors off guard, and some of them “had to revert to the original functionality." In doing so, they unknowingly exposed themselves to the critical vulnerability, despite having applied the latest security patch, Sansec explained.
Click to expand...

Sansec: Vendors defeat Magento security patch (+ simple check)

January 16, 2023
Magento and Adobe Commerce stores around the world have been hammered with Trojan Order attacks this winter. And even if you have patched or installed Adobe’s 2.4.4 release, you may still be vulnerable. Sansec discovered that several vendors and agencies are actively bypassing this security fix, and some patched stores actually got hacked.
Click to expand...

Log in or Sign up

Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability

guest Guest

Log in or Sign up

Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability

guest Guest

Useful Searches