Magento software

CISA puts Chrome and Magento Zero-Days on must-have patch list

US authorities added nine more exploited vulnerabilities for federal agencies to fix, including a zero-day bug used to hijack e-commerce sites.

The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday updated its catalog of known exploited vulnerabilities.

The most urgent fixes must be applied by March 1st. They address two zero-day vulnerabilities: an improper input validation flaw in Adobe Commerce and Magento Open Source and a free-after-use vulnerability in Google Chrome.

The Adobe bug (CVE-2022-24086) was patched by the firm on Sunday after receiving a CVSS score of 9.8.

Exploitable without credentials, the critical vulnerability could allow a remote attacker to execute arbitrary code on an affected system, potentially enabling digital skimming attacks on e-commerce sites that run CMS software.

Although he claimed to have seen only “very limited” attacks in the wild, the fact that Adobe took the unusual step of releasing an out-of-band patch last weekend highlights the potential impact of exploitation.

The Chrome vulnerability (CVE-2022-0609) is the browser’s first zero-day bug of the year and is rated as high severity.

This could allow a remote attacker to create a specially crafted web page, trick a user into visiting it via a phishing attack, and then execute arbitrary code on their machine. Google said the update will be built into version 98.0.4758.102 and rolled out over the “next few days/weeks.”

The catalog was launched in November 2021 as part of Binding Operational Directive (BOD) 22-01, designed to make civilian federal government agencies more cyber-resilient.

However, it is also recommended that all organizations prioritize their patching efforts based on the list, since all of the bugs in it have been actively exploited in the wild.

The other seven on this latest updated list are to be fixed by August 15, 2022, according to CISA. They include another free-after-use flaw in Adobe Flash Player and bugs affecting four Microsoft products: Word, Internet Explorer, Windows, and Microsoft Graphics Component.