Magento software

Adobe fixes critical Magento XSS that puts sites at risk of takeover

eCommerce platform admins should update ASAP

A super critical vulnerability in Adobe Magento could allow attackers to completely compromise e-commerce platforms, according to the security researcher who discovered the bug.

Adobe urged users to update their systems to protect their websites from abuse of the flaw, which was given the maximum possible severity score (CVSS) of 10.

Tracked as CVE-2022-35698, the cross-site stored scripting (XSS) bug may lead to execution of arbitrary code, according to an Adobe security advisory released on October 11.

Read more e-commerce security news

The flaw affects versions 2.4.4-p1 and earlier, as well as 2.4.5 and earlier, of Adobe Commerce and Magento Open Source. The problem has been fixed in versions 2.4.5-p1 and 2.4.4-p2.

It is estimated that around 267,000 active e-commerce websites are built with Magento.

The software update also resolves a medium-severity inappropriate access control vulnerability that could be abused to bypass a security feature (CVE-2022-35689).

“Easy to operate”

The researcher is credited with finding the critical flaw, ‘Blaklis‘, Told The daily sip: “The flaw essentially allows [an attacker] to XSS the admin area in a very specific way, which allows the victim to trigger it very easily with normal and regular browsing. This leads to some obviously nasty things, including complete compromise. So… that explains the score, I guess.

They added, “As far as I know, there are no specific requirements to exploit it, and no real mitigations except patches.

“The flaw is quite easy to exploit and requires no authentication. I found the bug by looking at their code, because I [have] do[ne] for a few years now – I pretty much know their code by heart now.

Previous notable Blaklis findings on Magento included a privilege escalation vulnerability in the Azure IoT CLI extension in February and, as noted by The daily sipa pair of critical bugs in 2020.

YOU MIGHT ALSO LIKE Hidden DNS Resolver Insecurity Creates Widespread Risk of Website Hacking