Adobe has updated its advisory on an actively-exploited critical vulnerability in the Magento and Commerce Open Source platforms to include another RCE bug.
The tech giant published revisions to the advisory on February 17.
Adobe originally issued an out-of-band patch on February 13 to resolve CVE-2022-24086, a critical pre-auth vulnerability that can be exploited by attackers to remotely execute arbitrary code.
CVE-2022-24086 has been issued a CVSS severity score of 9.8. Adobe said the security flaw was being actively exploited "in very limited attacks targeting Adobe Commerce merchants."
Now, Adobe has added a further vulnerability to the advisory, CVE-2022-24087.
"We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087)," Adobe said.
The vulnerability has also been issued a CVSS score of 9.8 and impacts the same products in the same manner.
The security flaws do not require any administrative privileges to trigger and both are described as improper input validation bugs leading to remote code execution (RCE).
As CVE-2022-24086 is being abused in the wild, Adobe has not released any further technical details. However, cybersecurity researchers from the Positive Technologies Offensive Team say they have been able to reproduce the vulnerability.
Adobe Commerce and Magento Open Source 2.3.3-p1 - 2.3.7-p2, and 2.4.0 - 2.4.3-p1 are impacted. However, versions 2.3.0 to 2.3.3 are not affected by the vulnerabilities, according to the company.
Adobe has provided a guide for users to manually install the necessary security patches.
Researchers Eboda and Blaklis were credited with the discovery of CVE-2022-24087. In a tweet, Blaklis said the first patch to resolve CVE-2022-24086 is "not sufficient" and has urged Magento & Commerce users to apply the new fixes.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0