A vulnerability known as “CosmicSting” has been identified in Adobe Commerce and Magento websites, remaining largely unpatched nine days after a security update was released. This leaves millions of websites at risk of catastrophic attacks, including XML external entity injection (XXE) and remote code execution (RCE). Sansec, a security firm, reports that three out of four websites using these e-commerce platforms have not yet applied the necessary patches.
CosmicSting, also referred to as CVE-2024-34102, is considered the most severe bug to impact Magento and Adobe Commerce stores in the past two years. The flaw allows attackers to read private files and, when combined with a recent Linux bug, can lead to remote code execution. With a critical CVSS score of 9.8, the vulnerability affects various versions of Adobe Commerce, Adobe Commerce Extended Support, Magento Open Source, and Adobe Commerce Webhooks Plugin.
Sansec notes that although Adobe omitted technical details in its bulletin to prevent active exploitation, attackers can easily infer effective attack methods from the patch code. The simplicity and severity of this vulnerability make CosmicSting one of the most potentially damaging attacks in e-commerce history, comparable to previous threats like “Shoplift,” “Ambionics,” and “Trojan Order.” Sansec urges site administrators to apply the necessary fixes or mitigations immediately.
The vendor has released fixes for CVE-2024-34102, which administrators are recommended to apply as soon as possible. For those unable to upgrade immediately, Sansec suggests checking for vulnerabilities in the Linux system using a specific command and implementing an emergency fix code to block most CosmicSting attacks. However, BleepingComputer warns that this fix has not been tested and its effectiveness or safety cannot be guaranteed.
Reference:
