At the beginning of this week, Adobe has released a patch for its e-commerce platform Magento regarding the vulnerability that allows remote code execution. The vulnerability can be tracked as CVE-2022-24086 and it has a very high severity score, 9.8. The fix was released and the case was closed. However, cybersecurity company Positive Technologies has managed to exploit the flaw again.
Firewall is not a solution
Adobe has updated its security bulletin page for the new flaw, bringing relevant patches
The new instance of the improper input validation flaw is tracked as a separate CVE ID; CVE-2022-24087. The new flaw has the same severity score and it will result in the same when exploited, gaining full access to the target system with web-server privileges. Security researchers of Positive Technologies state that using a web application firewall to block attempts is not a solution since the bug has several ways for exploitation. They also add that it is a difficult task to perform complete exploitation.
There is no documentation for the technical details of CVE-2022-24087 yet. Adobe updated its Security Bulletin page for CVE-2022-24086; it now includes the new one with the solution. The company immediately released new patches, which can be found on the advisory page.
Click here to go to the Adobe page that contains the related patches
Adobe Commerce / Magento is being subject to several security vulnerabilities recently. The Magento 1 platform, which is not supported anymore, is also being attacked by malicious actors to extract payment details.