Recent Adobe Commerce Vulnerability Exploited in Wild

Share This Post

The US cybersecurity agency CISA and Adobe this week warned of a recent Adobe Commerce vulnerability being actively exploited in attacks.

The flaw, tracked as CVE-2024-34102 (CVSS score of 9.8), is described as an improper restriction of XML external entity reference (XXE) bug that could allow attackers to execute arbitrary code.

“An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction,” a NIST advisory reads.

Adobe warned of the security defect on June 11, when it announced patches for Commerce versions 2.4.2 to 2.4.7 and Magento Open Source versions 2.4.4 to 2.4.7. On June 28, the company released an isolated patch targeting the same vulnerability.

On Wednesday, Adobe announced an additional hotfix to address the vulnerability, urging customers to check all production and non-production environments and ensure they are patched properly.

“This is an urgent update related to CVE-2024-34102. Adobe is aware that CVE-2024-34102 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants,” the company said in its advisory.

Adobe recommends that customers apply the June 11 update, apply the new hotfix, and then rotate their encryption keys, or that they apply the isolated patch (which now includes the hotfix) and rotate their encryption keys.

Customers who have already applied the security update and the isolated patch should apply the July 17 hotfix and then rotate their encryption keys. Customers who already rotated the encryption keys after applying the update and the isolated patch still need to apply the hotfix.

Advertisement. Scroll to continue reading.

On Wednesday, CISA added CVE-2024-34102 to its Known Exploited Vulnerabilities (KEV) catalog, along with CVE-2024-28995 (path traversal in SolarWinds Serv-U) and CVE-2022-22948 (incorrect default file permissions in VMware vCenter Server).

Per Binding Operational Directive (BOD) 22-01, federal agencies have until August 7 to identify and remediate vulnerable instances in their environments.

Website owners and organizations are advised to review CISA’s KEV list and address all identified vulnerabilities as soon as possible.

Related: Critical Authentication Bypass Resolved in GitHub Enterprise Server

Related: Adobe Adds Content Credentials and Firefly to Bug Bounty Program

Related: OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers

Related: Adobe Illustrator Vulnerabilities Rated Critical, But Exploitation Not Easy

This post was originally published on this site

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .