Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability
18-Jan-23
According to ecommerce security firm Sansec, vendors and agencies are purposefully avoiding the security patch that Adobe provided in February 2022 to address CVE-2022-24086, a serious mail template vulnerability in Adobe Commerce and Magento shops. The CVE-2022-24086 problem is categorised as an incorrect input validation flaw that affects the checkout process (CVSS score: 9.8). In-the-wild exploitation was seen around a week after fixes were made available for it, and it could be used to execute arbitrary code. Only a few days after the original remedies were discovered to be readily circumvented, Adobe released a second set of patches and a new CVE number (CVE-2022-24087) for the vulnerability. Around the same time, a proof-of-concept (PoC) exploit utilising the weakness was made public.
