Security
Headlines
HeadlinesLatestCVEs

Headline

Adobe patches critical Magento XSS that puts sites at takeover risk

E-commerce platform admins should update ASAP

PortSwigger
#xss#vulnerability#web#auth#sap

Adam Bannister 14 October 2022 at 11:11 UTC

E-commerce platform admins should update ASAP

A super-critical vulnerability in Adobe Magento could allow attackers to fully compromise e-commerce platforms, according to the security researcher who unearthed the bug.

Adobe has urged users to update their systems to protect their websites from abuse of the flaw, which has been assigned the maximum possible severity (CVSS) score of 10.

Tracked as CVE-2022-35698, the stored cross-site scripting (XSS) bug can lead to arbitrary code execution, according to an Adobe security advisory published on October 11.

Read more e-commerce security news

The flaw affects versions 2.4.4-p1 and earlier, as well as 2.4.5 and earlier, of Adobe Commerce and Magento Open Source. The issue has been patched in versions 2.4.5-p1 and 2.4.4-p2.

It’s estimated that around 267,000 active e-commerce websites are built with Magento.

The software update also addresses a medium severity, improper access control vulnerability that might be abused to bypass of a security feature (CVE-2022-35689).

‘Easy to exploit’

The researcher credited with finding the critical flaw, ‘Blaklis’, told The Daily Swig: “The flaw basically allows [an attacker] to XSS the admin area in a very specific way, that makes it very easy for the victim to trigger it with normal, regular browsing. That leads to obviously nasty things, including full shop compromise. So… that explains the score I guess.”

They added: “As far as I know, there’s no specific prerequisite to exploit it, and no real mitigations except patching.

“The flaw is pretty easy to exploit and does not require authentication at all. I found the bug by looking at their code, as I [have] do[ne] for a couple of years now – I pretty much know their code by heart now.”

Blaklis’ previous notable Magento finds have included a privilege escalation vulnerability in the Azure IoT CLI extension in February and, as reported by The Daily Swig, a pair of critical bugs in 2020.

YOU MAY ALSO LIKE Hidden DNS resolver insecurity creates widespread website hijack risk

Related news

CVE-2022-35689: Adobe Security Bulletin

Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.

PortSwigger: Latest News

We’re going teetotal: It’s goodbye to The Daily Swig