Adobe patches critcal bug in e-commerce software
The flaw, which allowed attackers to run their own code on websites, was being exploited in wild
Adobe has fixed a critical vulnerability in its e-commerce software that allowed attackers to run their own code on merchants' sites.
The bug, which was being exploited in the wild, affects Adobe Commerce and Magento Commerce, software that allow merchants to host and manage online stores. It is rated critical, with a 9.8 score under the Common Vulnerability Scoring System (CVSS), and is described as improper input validation bug that allows attackers to execute arbitrary code by manipulating input fields.
"Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants," the company warned in an advisory.
The vulnerability affects v2.4.3 and earlier of the Adobe products, and the company has released a patch. With little other information about the bug, there are no clear workarounds for the vulnerability other than to patch systems immediately.
Security bugs like these allow attackers to inject their own code onto e-commerce sites, which could skim a customer's credit card details and login credentials. One of the most popular skimming groups is Magecart, originally a single group that experts have seen morph into multiple groups.
Adobe acquired Magento in 2018 and rebranded its Magento Commerce product as Adobe Commerce. The company still offers a free version called Magento Open Source for building ecommerce stores.
Adobe Commerce offers a page builder for product stores, personalized product recommendations, and real-time inventory management that allows vendors to arrange for home delivery or pickup at the store. It also offers reporting capabilities to help visualize store performance.
RELATED RESOURCE
Putting the insurance industry back in safe hands
The role of payments in digital transformation
In September, Adobe added a new Payment Services tool to the Commerce product that allows merchants to support more payment services, such as Venmo and PayPal.
Security company Malwarebytes recently noted an increase in Magecart activity after one of the groups began targeting large numbers of ecommerce scores. Much of this activity focuses on Magento 1, which has not been supported since 2020. These attackers used a vulnerability in the Quickview plugin to create rogue Magento admin users that could run code with elevated privileges.
-
Compromised open source package pushed malicious Elementary CLI release to developersNews The open source Elementary CLI tool has more than one million monthly downloads
-
Everything you need to know about the GitHub Copilot pricing changesNews GitHub Copilot pricing changes mean users will be charged based on consumption, rather than a set number of credits
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
