Zero-day flaw: Adobe releases an emergency patch for Commerce and Magento


Adobe has released an emergency patch to address a critical flaw exploited in various attacks on its Commerce platform. This Sunday, the tech giant said the vulnerability impacts Adobe Commerce and Magento Open Source and that, according to the company’s threat data, the flaw is being used “in very limited attacks targeting merchants.” of Adobe Commerce”.

Identified as CVE-2022-24086, the vulnerability received a CVSS severity score of 9.8 out of 10, the maximum possible severity score. The vulnerability is based on an issue with incorrect input validation, described by the Common Weakness Enumeration (CWE) category system as a bug that occurs when a “product receives input or data, but does not validate or incorrectly validates that the inputs have the properties required to process the data correctly and securely”.

The CVE-2022-24086 flaw does not require administrator privileges to trigger. Adobe says the critical pre-authentication bug can be exploited to execute arbitrary code.

Commerce and Magento affected

Because the vulnerability is severe enough to warrant an emergency patch, the company has not released technical details, giving customers time to accept patches and mitigating the risk of exploitation. The flaw affects Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), as well as earlier versions.

Adobe patches can be downloaded and applied manually here.

Earlier this month, Adobe released security updates for products like Premiere Rush, Illustrator, and Creative Cloud. The series of patches addressed vulnerabilities leading to arbitrary code execution, denial of service (DoS), and escalation of privilege, among other issues. Last week, Apple released a patch in iOS 15.3.1 to eliminate a vulnerability in Apple’s Safari browser that could be exploited to execute arbitrary code. During February’s Patch Tuesday, Microsoft fixed 48 vulnerabilities, including a publicly known zero-day security flaw.

Source: ZDNet.com





Source link -97