Vulnerability Management, Supply chain

Magento vulnerability patch evaded by vendors

Sansec researchers have reported that fixes for a critical mail template flaw in Adobe Commerce and Magento, tracked as CVE-2022-24086, have been bypassed by agencies and extension vendors, according to SecurityWeek. Attackers have leveraged the flaw for arbitrary code execution nearly a week after the initial release of patches, with Adobe unveiling another round of fixes after the first patch was easily evaded by threat actors. Such a fix involved the removal of "smart" mail templates and the replacement of an old mail template variable resolver in an effort to avert injection attacks but some vendors were observed to return to old functionality, making them exposed to the critical flaw despite updated patches, said Sansec. Moreover, deprecated resolver functionality has also been reintroduced by some vendors to production Magento stores. "We have observed this risky behavior at multiple agencies as well as extension vendors, likely to avoid the need to update their email templates to be compatible with the new [resolver]," researchers added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.