Adobe Issues Critical Security Updates for Commerce and Magento Platforms

CosmicSting (CVE-2024-34102) Magento Security Updates

Adobe has released a critical security update for its widely-used e-commerce platforms, Adobe Commerce and Magento Open Source. The update addresses a range of vulnerabilities, some of which could allow attackers to execute malicious code, read sensitive files, bypass security features, or even gain full control of affected systems.

Among the vulnerabilities patched, one of the most critical involves the unrestricted upload of files with dangerous types, which could lead to arbitrary code execution (CVE-2024-39397, CVSS 9.0). This particular flaw is notably impactful on systems using the Apache web server. Another significant vulnerability relates to improper restriction of excessive authentication attempts, which could enable security feature bypass (CVE-2024-39398).

Additionally, Adobe addressed multiple other high-severity issues, including:

  • Path Traversal Vulnerability: Arbitrary file system read (CVE-2024-39399)
  • Stored Cross-Site Scripting (XSS): Arbitrary code execution (CVE-2024-39400)
  • OS Command Injection: Arbitrary code execution (CVE-2024-39401, CVE-2024-39402)

Furthermore, moderate vulnerabilities involving improper access control and authorization were also patched, which could lead to privilege escalation and security feature bypass (CVE-2024-39404 through CVE-2024-39418).

The vulnerabilities affect all versions of Adobe Commerce and Magento Open Source before 2.4.7-p2. Adobe strongly recommends users update their installations to the latest versions—2.4.7-p2 or isolated patches for specific CVEs—immediately to mitigate potential risks.

The updates are classified with a priority rating of 3, indicating that the vulnerabilities have not been actively exploited yet, but the potential impact on unpatched systems remains significant.

For detailed installation instructions and further information, Adobe advises users to consult the release notes and the security advisory page provided in the update.

Related Posts: