June 22, 2024 at 11:57AM

■■■■□ Sansec researchers are warning of a critical CosmicSting vulnerability that affects almost 75% of sites using Adobe Commerce and Magento.

Despite the release of emergency fixes, nine days later the situation remains unchanged: millions of sites are at risk of serious XML external entity injection (XXE) and RCE attacks.

CosmicSting is also tracked as CVE-2024-34102 (CVSS: 9.8) and represents the most severe bug in Magento and Adobe Commerce in the last two years.

By itself, it allows an attacker to view private files (for example, files with passwords). However, when combined with a recent bug in Linux, iconv (CVE-2024-2961) carries powerful malicious RCE potential.

The issue affects Adobe Commerce 2.4.7 (and earlier versions, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8), Adobe Commerce Extended Support 2.4.3-ext-7 (2.4.2-ext -7, 2.4.1-ext-7, 2.4.0-ext-7, 2.3.7-p4-ext-7 and earlier), Magento 2.4.7 (and earlier including 2.4.6-p5 , 2.4.5-p7, 2.4.4-p8), as well as the Adobe Commerce Webhooks plugin (from 1.2.0 to 1.4.0).

As Sansec notes, the absence of a detailed technical description in the Adobe bulletin will not prevent active exploitation, since effective attack methods can be modeled by analyzing the patch code.

Given its high severity and low sophistication, CosmicSting can now be considered one of the most destructive attacks in e-commerce history, along with Shoplift, Ambionics and Trojan Order, according to Sansec .

Researchers recommend that platform administrators apply patches for CVE-2024-34102 as soon as possible or follow the proposed mitigation measures.