/>
X

CISA adds vulnerabilities in Adobe Magento, Google Chrome and Internet Explorer to catalog

Two of the vulnerabilities have a remediation date of March 1.
headshot-2.jpg
Written by Jonathan Greig, Staff Writer on

Nine vulnerabilities were added to the US Cybersecurity and Infrastructure Security Agency's (CISA) catalog of known exploited vulnerabilities this week, with two carrying a remediation date of March 1. 

The two vulnerabilities -- CVE-2022-24086 and CVE-2022-0609 -- relate to Adobe Commerce and Magento as well as Google Chrome. 

screen-shot-2022-02-16-at-3-14-04-pm.png
CISA

Adobe released an emergency patch on Monday to tackle CVE-2022-24086, which security companies have confirmed is being exploited in the wild. The tech giant said that the vulnerability impacts Adobe Commerce and Magento Open Source. It is being weaponized "in very limited attacks targeting Adobe Commerce merchants," according to Adobe.

The bug impacts Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), as well as earlier versions. The vulnerability has been issued a CVSS severity score of 9.8 out of 10. Adobe's patches can be downloaded and manually applied here

Adobe urged customers using the Magento 1 e-commerce platform to upgrade to the latest version of Adobe Commerce after security company Sansec detected a mass breach of over 500 stores running the platform. In a statement to ZDNet, Adobe said it ended support for Magento 1 on June 30, 2020. 

"We continue to encourage merchants to upgrade to the latest version of Adobe Commerce for the most up-to-date security, flexibility, extensibility, and scalability," an Adobe spokesperson said. 

"At a minimum, we recommend Magento Open Source merchants on Magento 1 to upgrade to the latest version of Magento Open Source (built on Magento 2), to which Adobe contributes key security updates."

The other issue given a remediation date of March 1 is a Google Chrome Use-After-Free vulnerability. Google released a fix for the issue on Monday and said it was reported on February 10 by Adam Weidemann and Clément Lecigne of Google's Threat Analysis Group.

"Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild," Google Chrome's Srinivas Sista added. 

The rest of the vulnerabilities on the list have remediation dates of August 15.

CISA has increased the number of times they update the known exploited vulnerabilities catalog, adding more and more bugs more often in 2022. Their last update was just five days ago and included one vulnerability with a remediation date of February 24.

Related

Google details commercial spyware that targets both Android and iOS devices
spying-eye-monitoring-surveillance-tracking-security-camera.jpg

Google details commercial spyware that targets both Android and iOS devices

Security
How to use tab groups in Google Chrome
Chrome's tab group interface

How to use tab groups in Google Chrome

Computers & Tech
Chrome to offer new operating system admin certification
Three students, two male and one female, use an Acer Chromebook Spin 311 to collaborate on a class project.

Chrome to offer new operating system admin certification

Computers & Tech