Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability

Vendors and agencies are bypassing a security patch that Adobe released in February 2022 to address CVE-2022-24086.

Vendors and agencies are actively bypassing the security patch that Adobe released in February 2022 to address CVE-2022-24086, a critical mail template vulnerability in Adobe Commerce and Magento stores, ecommerce security firm Sansec warns.

The CVE-2022-24086 bug (CVSS score of 9.8) is described as an improper input validation bug in the checkout process. It could be exploited to achieve arbitrary code execution, with in-the-wild exploitation observed roughly one week after patches were made available for it.

The initial fixes were found to be easily bypassed, and Adobe issued a second round of patches and a new CVE identifier (CVE-2022-24087) for the bug only days later. A proof-of-concept (PoC) exploit targeting the flaw was released around the same time.

To address the vulnerability, Adobe removed ‘smart’ mail templates and replaced the old mail template variable resolver with a new one, to prevent potential injection attacks.

However, the move caught many vendors off guard, and some of them “had to revert to the original functionality.” In doing so, they unknowingly exposed themselves to the critical vulnerability, despite having applied the latest security patch, Sansec explained.

The security firm has observed some vendors attempting to reintroduce the functionality of the deprecated resolver into production Magento stores, either by overriding the functionality of the new resolver, or by copying code from older versions of Magento and using it as a preference.

“We have observed this risky behavior at multiple agencies as well as extension vendors, likely to avoid the need to update their email templates to be compatible with the new [resolver],” Sansec added.

The company said some vendors attempted to mitigate security risks by adding to the ordering systems basic filtering on unsafe user inputs, but that does not prevent exploitation, given that the vulnerability can be triggered from other subsystems as well, if they touch email.

Advertisement. Scroll to continue reading.

Related: Magento Vulnerability Increasingly Exploited to Hack Online Stores

Related: Malware Infects Magento-Powered Stores via FishPig Distribution Server

Related: CISA Urges Orgs to Patch Recent Chrome, Magento Zero-Days

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.