Ecommerce sites across the world could be at risk from this dangerous security flaw, so patch now

Sead Fadilpašić

June 21, 2024 at 11:28 AM·2 min read

A catastrophic vulnerability was recently discovered in Adobe Commerce and Magento, but ecommerce websites operating these platforms seem largely uninterested in applying a patch.

As a result, “millions” of sites are open to attacks that could have devastating consequences, experts have warned.

As reported by BleepingComputer, cybersecurity researchers from Sansec discovered an improper restriction of XML external entity reference ('XXE') vulnerability, and dubbed it “CosmicSting”. It is now being tracked as CVE-2024-34102, and carries a severity score of 9.8 (critical).

Patch and mitigations

"CosmicSting (aka CVE-2024-34102) is the worst bug to hit Magento and Adobe Commerce stores in two years," Sansec said in a security advisory. "In itself, it allows anyone to read private files (such as those with passwords). However, combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution."

Here are the product versions affected by CosmicSting:

Adobe Commerce 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
Adobe Commerce Extended Support 2.4.3-ext-7 and earlier, 2.4.2-ext-7 and earlier, 2.4.1-ext-7 and earlier, 2.4.0-ext-7 and earlier, 2.3.7-p4-ext-7 and earlier.
Magento Open Source 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
Adobe Commerce Webhooks Plugin versions 1.2.0 to 1.4.0

If your business is running any of the above, make sure to apply the patch - which was already made available - as soon as possible.

Sansec says that despite the vulnerability being made public more than a week ago, some 75% of Adobe Commerce and Magento users are yet to patch up. There is currently no evidence of in-the-wild abuse, and Adobe did not publish technical details so at to not give hackers any hints. However, Sansec says that the patch can be reverse-engineered and used to learn more about the bug.

Those who are unable to apply the patch immediately are advised to apply the mitigations found on this link.

More from TechRadar Pro

Magento bug exploited to steal payment data from ecommerce websites
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Yahoo Finance
Biden says Trump will make inflation worse. It's unclear if he can convince voters.
Joe Biden is likely to make a case on the debate stage tonight that Donald Trump will make inflation worse. Whether voters believe him is another matter entirely.
Yahoo Life
Tips to clean your ears — and why ENTs want you to stop removing ear wax with cotton swabs and at-home irrigation kits
Ear wax is normal, doctors say, and using swabs can cause more damage.
Yahoo Sports
2024 NBA Draft: Winners and losers from the first round, featuring the Spurs, Grizzlies and France
Here is a stab at a first draft of history — a thumbnail sketch of who had a pretty good first night of the 2024 NBA Draft, and who might wind up looking back at the evening wistfully, with some regret.
Yahoo Sports
Bronny James goes unselected in first round of 2024 NBA Draft
Where will LeBron James' son be taken in the second?
Yahoo Sports
2024 NBA Draft grades: First-round pick-by-pick analysis
Here are Yahoo Sports' complete first-round draft grades.
Yahoo Sports
Nic Claxton agrees to 4-year, $100 million deal to return to Nets: Report
Nic Claxton isn't going anywhere.
Yahoo Life Shopping
The best 4th of July sales to shop now from Amazon, Walmart, Target and more
From TVs to mattresses to home appliances, the biggest retailers already have stellar savings ahead of the holiday.
Yahoo Entertainment
'Happy Place' Netflix series in the works: A guide to all the Emily Henry books becoming movies, TV shows
"Happy Place" is Emily Henry's latest novel to be adapted for the screen.
Yahoo Sports
Celtics president Brad Stevens expects Kristaps Porziņģis to miss 'at least' start of next season with ankle injury suffered in Finals
Porziņģis is still consulting with doctors and expects to undergo surgery soon.
Engadget
'Dead Rising' is back with a new Deluxe Remaster
Capcom surprised fans by announcing a brand new remaster for the studio's 2006 zombie-smashing hit Dead Rising.
Yahoo Finance
Rivian stock soars as Volkswagen says it will invest up to $5 billion in new joint venture
Rivian shares are surged after the EV maker announced a joint venture deal with Volkswagen, crucially bringing fresh capital into Rivian’s coffers.
Engadget
An ID verification service that works with TikTok and X left its credentials wide open for a year
An ID verification service that works with TikTok and X left its credentials wide open for a year. This means that hackers could potentially have accessed sensitive data, like drivers’ licenses.
Yahoo Sports
Concern for Cole, Padres-Nationals beef, college baseball drama & who might be in the Home Run Derby
Jake Mintz and Jordan Shusterman examine if there’s reason for concern with Gerrit Cole after two rough outings, drama within the college baseball world, who might be participating in the 2024 Home Run Derby and ask why some players don’t have a home run yet this season.
Yahoo Life Shopping
The best early Amazon Prime Day deals to shop prior to the July 16-17 sale
Amazon Prime Day 2024 was just confirmed to run July 16-17. Here's all the info we have so far, along with early deals you can shop early.
Yahoo Tech
Eufy Security Video Doorbell E340 review: My favorite front-door security system
With its dual cameras, onboard storage, smart detection capabilities and subscription-free operation, there's currently no better bell to put on your porch.
Yahoo Finance
Don’t count on any more Trump tax cuts
Tax hikes, not cuts, may be needed during the next presidential administration to deal with massive amounts of debt neither party can control.
Yahoo Life Shopping
The 16 best sports bras for 2024, tested by fitness experts
Find the perfect combination of comfort and support for your body type right here.
Yahoo Personal Finance
What is an ABA routing number?
ABA routing numbers are nine-digit codes that identify financial institutions. Learn more about how bank ABA numbers work and when you need to know them.
Engadget
A Meta ‘error’ broke the political content filter on Threads and Instagram
Meta continued to limit political content even for users who had opted in to seeing it due to an unspecified "error."
Yahoo Personal Finance
CD rates today, June 26, 2024 (up to 5.15% APY)
Looking for the best CD rates available today? Here’s a look at where to find the highest rates and whether now is a good time to invest in a CD.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Ecommerce sites across the world could be at risk from this dangerous security flaw, so patch now

Patch and mitigations

More from TechRadar Pro

Recommended Stories

Biden says Trump will make inflation worse. It's unclear if he can convince voters.

Tips to clean your ears — and why ENTs want you to stop removing ear wax with cotton swabs and at-home irrigation kits

2024 NBA Draft: Winners and losers from the first round, featuring the Spurs, Grizzlies and France

Bronny James goes unselected in first round of 2024 NBA Draft

2024 NBA Draft grades: First-round pick-by-pick analysis

Nic Claxton agrees to 4-year, $100 million deal to return to Nets: Report

The best 4th of July sales to shop now from Amazon, Walmart, Target and more

'Happy Place' Netflix series in the works: A guide to all the Emily Henry books becoming movies, TV shows

Celtics president Brad Stevens expects Kristaps Porziņģis to miss 'at least' start of next season with ankle injury suffered in Finals

'Dead Rising' is back with a new Deluxe Remaster

Rivian stock soars as Volkswagen says it will invest up to $5 billion in new joint venture

An ID verification service that works with TikTok and X left its credentials wide open for a year

Concern for Cole, Padres-Nationals beef, college baseball drama & who might be in the Home Run Derby

The best early Amazon Prime Day deals to shop prior to the July 16-17 sale

Eufy Security Video Doorbell E340 review: My favorite front-door security system

Don’t count on any more Trump tax cuts

The 16 best sports bras for 2024, tested by fitness experts

What is an ABA routing number?

A Meta ‘error’ broke the political content filter on Threads and Instagram

CD rates today, June 26, 2024 (up to 5.15% APY)