E-commerce sites around the world may be at risk from this dangerous security vulnerability, so patch it now

A catastrophic vulnerability was recently discovered in Adobe Commerce and Magento, but e-commerce sites powering these platforms seem largely uninterested in applying the patch.

As a result, “millions” of websites are vulnerable to attacks that could have disastrous consequences, experts warn.

As reported Shiny ComputerSansec cybersecurity researchers discovered an improper mitigation of a third-party reference XML (“XXE”) vulnerability and named it “CosmicSting.” It is currently tracked as CVE-2024-34102 and has a severity rating of 9.8 (Critical).

Patch and remedies

“CosmicSting (also known as CVE-2024-34102) is the worst bug to appear in Magento and Adobe Commerce stores in two years,” Sansec said in a security advisory. “In itself, it allows anyone to read private files (such as those with passwords). However, when combined with the recent iconv bug in Linux, this turns into a remote code execution security nightmare.”

These are the product versions affected by CosmicSting:

Adobe Commerce 2.4.7 and earlier versions including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
Extended support Adobe Commerce 2.4.3-ext-7 and earlier, 2.4.2-ext-7 and earlier, 2.4.1-ext-7 and earlier, 2.4.0-ext-7 and earlier, 2.3.7-p4- ext-7 and earlier.
Magento Open Source 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
Adobe Commerce Webhooks plug-in versions 1.2.0 to 1.4.0

If your company is experiencing any of the above issues, be sure to apply the patch that is now available as soon as possible.

Sansec says that despite making the vulnerability public over a week ago, approximately 75% of Adobe Commerce and Magento users have not yet been patched. There is currently no evidence of actual abuse, and Adobe has not published technical details so as not to give hackers any clues. Sansec, however, says the patch can be reverse-engineered and used to learn more about the bug.

People who cannot apply the patch immediately are advised to use the soothing measures described in point this link.