A catastrophic vulnerability was recently discovered in Adobe Commerce and Magento, but e-commerce websites using these platforms seem largely uninterested in applying a patch.
As a result, “millions” of sites are open to attacks that could have devastating consequences, experts warn.
As reported by BleepingComputerSansec cybersecurity researchers discovered an inappropriate vulnerability mitigation for the XML external entity reference (“XXE”), and named it “CosmicSting.” It is now tracked as CVE-2024-34102 and has a severity score of 9.8 (critical).
Patch and fixes
“CosmicSting (aka CVE-2024-34102) is the worst bug to hit Magento and Adobe Commerce stores in two years,” Sansec said in a security advisory. “On its own, it allows anyone to read private files (such as those with passwords). However, when combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution.”
These are the product versions affected by CosmicSting:
- Adobe Commerce 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
- Extended support for Adobe Commerce 2.4.3-ext-7 and earlier, 2.4.2-ext-7 and earlier, 2.4.1-ext-7 and earlier, 2.4.0-ext-7 and earlier, 2.3.7-p4 – ext-7 and earlier.
- Magento Open Source 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
- Adobe Commerce Webhooks Plugin versions 1.2.0 to 1.4.0
If your company is using any of the above, make sure you apply the patch (which was already available) as soon as possible.
Sansec says that despite the vulnerability being made public over a week ago, approximately 75% of Adobe Commerce and Magento users remain unpatched. There is currently no evidence of exploitation in the wild and Adobe has not published any technical details so as not to give hackers any hints. However, Sansec says the patch can be reverse-engineered and used to learn more about the bug.
Those who cannot apply the patch immediately are advised to apply the measures on the website this link.