The software giant, Adobe, has announced the vulnerability they have found on the Adobe Commerce and Magento Open Source services that has a CVSS score of 9.8 on the 13th of February. As the flaw has a very high severity rating, the company released an emergency patch for it. In the last week Magento was subject to a vulnerability issue again, but for its unsupported/old versions.
It does not require admin privileges
Exploiting the vulnerability does not require admin privileges
The flaw which can be tracked as CVE-2022-24086 is allowing attackers to execute arbitrary code. The company stated that this vulnerability has been exploited in the wild in a very limited number, targeting Adobe Commerce merchants. Attackers can exploit this vulnerability without any administrator privileges. Exploitation can be achieved by using a bug related to an improper input validation issue.
The affected products can be seen below:
- Adobe Commerce 2.4.3-p1 and earlier versions
- Adobe Commerce 2.3.7-p2 and earlier versions
- Magento Open Source 2.4.3-p1 and earlier versions
- Magento Open Source 2.3.7-p2 and earlier versions
The company has also added that Adobe Commerce 2.3.3 and lower versions were not affected by the CVE-20222-24076 vulnerability. The fixed and updated versions of the software can be seen below:
- Adobe Commerce: MDVA-43395_EE_2.4.3-p1_v1
- Magento Open Source: MDVA-43395_EE_2.4.3-p1_v1
Since it is a 9.8-rated vulnerability, it is better to patch the affected versions immediately. You can follow the link below to download related patches from the Magento Support website:
Click here to download Adobe Commerce / Magento Open Source patches