Cosmicsting attacks magento and adobe commerce stores
Recently, many magento built stores were hacked. Cosmic Sting is a severe vulnerability (CVE-2024-34102) that affects Adobe Commerce and Magento platforms.
It allows attackers to exploit XML External Entities (XXE) during deserialization, potentially leading to remote code execution.
CosmicSting enables attackers to read any file, attackers can steal the secret encryption key then they can generate JWT token with full administrative API access.
According to Sensec website, 3 to 4 websites using the impacted platform have not patched against cosmicsting. which puts them at risk of XML external entity injection (XXE) and remote code execution (RCE).
Affected platforms
The following affected product versions:
- Adobe Commerce 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
- Magento Open Source 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
- Adobe Commerce Webhooks Plugin versions 1.2.0 to 1.4.0
Mitigation
The vendor released a fixes for CVE-2024-34102 to the following versions. Administrators are requested to apply the patch ASAP.
- Adobe Commerce 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
- Magento Open Source 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
- Adobe Commerce Webhooks Plugin version 1.5.