Adobe patches critical Magento XSS that puts sites at takeover risk

Adam Bannister 14 October 2022 at 11:11 UTC

E-commerce platform admins should update ASAP

A super-critical vulnerability in Adobe Magento could allow attackers to fully compromise e-commerce platforms, according to the security researcher who unearthed the bug.

Adobe has urged users to update their systems to protect their websites from abuse of the flaw, which has been assigned the maximum possible severity (CVSS) score of 10.

Tracked as CVE-2022-35698, the stored cross-site scripting (XSS) bug can lead to arbitrary code execution, according to an Adobe security advisory published on October 11.

Read more e-commerce security news

The flaw affects versions 2.4.4-p1 and earlier, as well as 2.4.5 and earlier, of Adobe Commerce and Magento Open Source. The issue has been patched in versions 2.4.5-p1 and 2.4.4-p2.

It’s estimated that around 267,000 active e-commerce websites are built with Magento.

The software update also addresses a medium severity, improper access control vulnerability that might be abused to bypass of a security feature (CVE-2022-35689).

‘Easy to exploit’

The researcher credited with finding the critical flaw, ‘Blaklis’, told The Daily Swig: “The flaw basically allows [an attacker] to XSS the admin area in a very specific way, that makes it very easy for the victim to trigger it with normal, regular browsing. That leads to obviously nasty things, including full shop compromise. So… that explains the score I guess.”

They added: “As far as I know, there’s no specific prerequisite to exploit it, and no real mitigations except patching.

“The flaw is pretty easy to exploit and does not require authentication at all. I found the bug by looking at their code, as I [have] do[ne] for a couple of years now – I pretty much know their code by heart now.”

Blaklis’ previous notable Magento finds have included a privilege escalation vulnerability in the Azure IoT CLI extension in February and, as reported by The Daily Swig, a pair of critical bugs in 2020.

YOU MAY ALSO LIKE Hidden DNS resolver insecurity creates widespread website hijack risk