Adobe patches Magento CMS zero-day
Adobe has released an emergency security update on Sunday to address a zero-day vulnerability in the Magento and Adobe Commerce platforms that was actively abused in the wild by attackers.
The zero-day, tracked as CVE-2022-24086, was described as a pre-authentication remote code execution issue. Adobe said the root cause of the bug was improper input validation.
Versions 2.3.7-p2 and earlier and 2.4.3-p1 and earlier of the Adobe open-source CMS and the Adobe Commerce cloud e-commerce platform are considered vulnerable to attacks and should be updated right away.
In a separate Magento security bulletin, Adobe described the attacks as “very limited.”
E-commerce sites are some of the most valuable targets on the internet today, as once they are compromised, they can be infected with malware that steals buyers’ payment card data.
These types of attacks, known as web skimmers or Magecart attacks, have been taking place since 2016, and they don’t appear to be stopping any time soon.
Just last week, e-commerce security firm SanSec reported about a campaign that infected more than 500 Magento 1.x stores.