- June 13, 2024
- Beazley Security Labs
Multiple Critical Vulnerbailities in Adobe Magento, Commerce, and Commerce Webhooks Plugin
On June 11th, Adobe released a security bulletin covering several vulnerabilities in their Magento, Commerce, and Commerce Webhooks Plugin software. There were ten vulnerabilities, seven of which had a CVSS severity of “critical”, with scores of 8 or above.
Executive Summary
On June 11th, Adobe released a security bulletin covering several vulnerabilities in their Magento, Commerce, and Commerce Webhooks Plugin software.
There were ten vulnerabilities, seven of which had a CVSS severity of “critical”, with scores of 8 or above. All these critical vulnerabilities were remotely reachable, and three required no credentials. The vulnerabilities were discovered and reported by third-party researchers through bug bounty program HackerOne, so technical details of the vulnerabilities were not publicly disclosed. However, the patches are public and we expect capable threat actors to study the patches to develop and deploy weaponized exploits in the coming days.
Given these factors, Beazley Security believes rapid deployment of Adobe provided updates as soon as possible.
Affected Systems or Products
The vulnerability affects the following Adobe Commerce related products:
Product | Version | Platform |
Adobe Commerce | 2.4.7 and earlier 2.4.6-p5 and earlier 2.4.5-p7 and earlier 2.4.4-p8 and earlier 2.4.3-ext-7 and earlier* 2.4.2-ext-7 and earlier* 2.4.1-ext-7 and earlier* 2.4.0-ext-7 and earlier* 2.3.7-p4-ext-7 and earlier* | All |
Magento Open Source | 2.4.7 and earlier 2.4.6-p5 and earlier 2.4.5-p7 and earlier 2.4.4-p8 and earlier | All |
Adobe Commerce Webhooks Plugin | 1.2.0 to 1.4.0 | Manual Plugin Installation |
A breakdown of the individual CVEs follows:
CVE ID | CVSS Severity | Base Score | Category |
CVE-2024-34102 | Critical | 9.8 | Improper Restriction of XML External Entity Reference |
CVE-2024-34108 | Critical | 9.1 | Improper Input Validation |
CVE-2024-34111 | Critical | 8.5 | Server-Side Request Forgery (SSRF) |
CVE-2024-34104 | Critical | 8.2 | Improper Authorization |
CVE-2024-34103 | Critical | 8.1 | Improper Authentication |
CVE-2024-34109 | Critical | 8.0 | Improper Input Validation |
CVE-2024-34110 | Critical | 8.0 | Unrestricted Upload of File with Dangerous Type |
CVE-2024-34105 | Important | 4.8 | Cross-site Scripting (Stored XSS) |
CVE-2024-34106 | Important | 5.3 | Improper Authentication |
CVE-2024-34107 | Important | 5.3 | Improper Access Control |
Patches
Adobe has released official software updates. Instructions for updating Commerce and Magento can be found here. Instructions for updating Commerce Webhooks Plugin can be found here.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices discovered by our Attack Surface Management Solution, Karma, to identify potentially impacted devices and support organizations in remediation of any issues found.
