Adobe updated its recent out-of-band security advisory to add another critical bug, while researchers put out a PoC for the one it emergency-fixed last weekend.
Yet another zero-day bug has been discovered in the Magento Open Source and Adobe Commerce platforms, while researchers have created a working proof-of-concept (PoC) exploit for the recently patched CVE-2022-24086 vulnerability that came under active attack and forced Adobe to push out an emergency patch last weekend.
Attackers could use either exploit to achieve remote code-execution (RCE) from an unauthenticated user.
The new flaw, detailed on Thursday, has the same level of severity assigned to its predecessor, which Adobe patched on Feb. 13. It’s tracked as CVE-2022-24087 and similarly rated 9.8 on the CVSS vulnerability-scoring system.
Both are improper input validation issues. On Thursday, Adobe updated its advisory for CVE-2022-24086 to add details for CVE-2022-24087, which it described as an elevation of privilege vulnerability in the Azure IoT CLI extension.
“We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087),” Adobe said in its revised bulletin.
No Active Attacks for the New Flaw
While the company is aware of “very limited attacks” on Adobe Commerce merchants that have targeted the CVE-2022-24086 flaw, the company said that it’s unaware of any exploits in the wild for CVE-2022-24087.
Positive Technologies researchers said on Thursday that they’ve been able to reproduce the CVE-2022-24086 vulnerability and have created a working exploit.
Both vulnerabilities affect Adobe Commerce and Magento Open Source 2.3.3-p1 – 2.3.7-p2, and 2.4.0 – 2.4.3-p1. However, versions 2.3.0 to 2.3.3 aren’t affected, Adobe said.
The company has provided a guide for users to manually install the security patches.
Researchers Eboda and Blaklis were credited with the discovery of CVE-2022-24087. Blaklis said in a tweet that the first patch to resolve CVE-2022-24086 is “NOT SUFFICIENT” to be safe, urging Magento & Commerce users to update again.