Adobe released patches on Sunday to address a critical security vulnerability affecting its Commerce and Magento Open Source products, which it claims is being actively exploited in the wild.
The flaw, identified as CVE-2022-24086, has a CVSS score of 9.8 out of 10 and has been described as a “improper input validation” issue that could be weaponized to achieve arbitrary code execution.
It’s also a pre-authenticated flaw, which means it can be exploited without any credentials. However, the California-based company also stated that the vulnerability can only be exploited by an attacker with administrative privileges.
Adobe Commerce and Magento Open Source 2.4.3-p1 and earlier versions, as well as 2.3.7-p2 and earlier versions, are affected by the flaw. Adobe Commerce 2.3.3 and earlier are not at risk.
The organisation said that ,” Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants”.
Finally the researchers reported that ,” The findings follow last week’s disclosure by Sansec, an e-commerce malware and vulnerability detection company of a Magecart attack that compromised 500 sites running the Magento 1 platform with a credit card skimmer designed to syphon sensitive payment information.