Nine vulnerabilities were added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Catalog of Known Exploited Vulnerabilities this week, including two with a March 1 patch date.
The two vulnerabilities – CVE-2022-24086 and CVE-2022-0609 – affect Adobe Commerce and Magento as well as Google Chrome.
Adobe released an emergency patch on Monday to combat CVE-2022-24086, which security companies have confirmed is exploited in the wild. The tech giant said the vulnerability affects Adobe Commerce and Magento Open Source. It is weaponized “in very limited attacks targeting Adobe Commerce merchants,” according to Adobe.
The bug affects Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), as well as earlier versions. The vulnerability was given a CVSS severity score of 9.8 out of 10. Patches from Adobe can be downloaded and applied manually here.
Adobe has urged customers using the Magento 1 e-commerce platform to upgrade to the latest version of Adobe Commerce after security firm Sansec detected a massive breach of more than 500 stores running the platform. In a statement to ZDNetAdobe said it ended support for Magento 1 on June 30, 2020.
“We continue to encourage merchants to upgrade to the latest version of Adobe Commerce to benefit from the latest security, flexibility, extensibility and scalability,” a spokesperson for Adobe Commerce said. Adobe.
“At a minimum, we recommend that Magento Open Source merchants on Magento 1 upgrade to the latest version of Magento Open Source (based on Magento 2), to which Adobe contributes key security updates.”
The other issue with a resolution date of March 1 is a Google Chrome Use-After-Free vulnerability. Google released a patch for the issue on Monday and said it was reported on February 10 by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group.
“Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild,” added Srinivas Sista of Google Chrome.
The other vulnerabilities in the list have patch dates of August 15.
CISA has increased the number of updates to the catalog of known exploited vulnerabilities, adding more and more bugs more often in 2022. Their last update was just five days ago and included a vulnerability with a patch date of February 24 .