Connect with us

Hi, what are you looking for?

Cyber Security

Adobe patches critical Magento XSS that puts sites at takeover risk

A super-critical vulnerability in Adobe Magento could allow attackers to fully compromise e-commerce platforms, according to the security researcher who unearthed the bug.

Adobe has urged users to update their systems to protect their websites from abuse of the flaw, which has been assigned the maximum possible severity (CVSS) score of 10.

Tracked as CVE-2022-35698, the stored cross-site scripting (XSS) bug can lead to arbitrary code execution, according to an Adobe security advisory published on October 11.

The flaw affects versions 2.4.4-p1 and earlier, as well as 2.4.5 and earlier, of Adobe Commerce and Magento Open Source. The issue has been patched in versions 2.4.5-p1 and 2.4.4-p2.

It’s estimated that around 267,000 active e-commerce websites are built with Magento.

The software update also addresses a medium severity, improper access control vulnerability that might be abused to bypass of a security feature (CVE-2022-35689).

‘Easy to exploit’

The researcher credited with finding the critical flaw, ‘Blaklis’, told The Daily Swig: “The flaw basically allows [an attacker] to XSS the admin area in a very specific way, that makes it very easy for the victim to trigger it with normal, regular browsing. That leads to obviously nasty things, including full shop compromise. So… that explains the score I guess.”

They added: “As far as I know, there’s no specific prerequisite to exploit it, and no real mitigations except patching.

“The flaw is pretty easy to exploit and does not require authentication at all. I found the bug by looking at their code, as I [have] do[ne] for a couple of years now – I pretty much know their code by heart now.”

Blaklis’ previous notable Magento finds have included a privilege escalation vulnerability in the Azure IoT CLI extension in February and, as reported by The Daily Swig, a pair of critical bugs in 2020.

Source: https://portswigger.net/daily-swig/adobe-patches-critical-magento-xss-that-puts-sites-at-takeover-risk

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

New capabilities in Google Workspace will help enterprises improve account and data security, by making unauthorized takeover of admin and user accounts and exfiltration...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO