Sansec researchers have reported that fixes for a critical mail template flaw in Adobe Commerce and Magento, tracked as CVE-2022-24086, have been bypassed by agencies and extension vendors, according to SecurityWeek.
Attackers have leveraged the flaw for arbitrary code execution nearly a week after the initial release of patches, with Adobe unveiling another round of fixes after the first patch was easily evaded by threat actors. Such a fix involved the removal of "smart" mail templates and the replacement of an old mail template variable resolver in an effort to avert injection attacks but some vendors were observed to return to old functionality, making them exposed to the critical flaw despite updated patches, said Sansec.
Moreover, deprecated resolver functionality has also been reintroduced by some vendors to production Magento stores.
"We have observed this risky behavior at multiple agencies as well as extension vendors, likely to avoid the need to update their email templates to be compatible with the new [resolver]," researchers added.
Vulnerabilities impacting cloud analytics and business intelligence software Qlik Sense have been exploited to facilitate the deployment of CACTUS ransomware in a new campaign, The Hacker News reports.
Vulnerability management: Finding and fixing fatal flaws
Reducing silos between Developers and AppSec in your Software Supply Chain with Snyk and ServiceNow
Vulnerability management: Finding and fixing your fatal flaws
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news