New RCE flaw added to Adobe Commerce, Magento security advisory

Adobe has updated its advisory on an actively-exploited critical vulnerability in the Magento and Commerce Open Source platforms to include another RCE bug.

The tech giant published revisions to the advisory on February 17. 

Adobe originally issued an out-of-band patch on February 13 to resolve CVE-2022-24086, a critical pre-auth vulnerability that can be exploited by attackers to remotely execute arbitrary code. 

CVE-2022-24086 has been issued a CVSS severity score of 9.8. Adobe said the security flaw was being actively exploited “in very limited attacks targeting Adobe Commerce merchants.”

Now, Adobe has added a further vulnerability to the advisory, CVE-2022-24087

“We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087),” Adobe said. 

The vulnerability has also been issued a CVSS score of 9.8 and impacts the same products in the same manner. 

The security flaws do not require any administrative privileges to trigger and both are described as improper input validation bugs leading to remote code execution (RCE).

As CVE-2022-24086 is being abused in the wild, Adobe has not released any further technical details. However, cybersecurity researchers from the Positive Technologies Offensive Team say they have been able to reproduce the

Read More: https://www.zdnet.com/article/adobe-updates-critical-magento-commerce-vulnerability-advisory-with-new-threat/#ftag=RSSbaffb68