[Nulled] » Information security » Some vendors and users of Adobe Commerce and Magento decided
January 23 2023

Some vendors and users of Adobe Commerce and Magento decided

Some vendors and users of Adobe Commerce and Magento decided to make a difficult choice between "safe" and "convenient".

As we reported, the February patch from Adobe, released to eliminate the critical vulnerability of mail templates CVE-2022-24086 (CVSS score 9.8), was actively bypassed by attackers.

In the second series of fixes, with the already new CVE identifier (CVE-2022-24087), the developers released another patch.

Around the same time, a PoC was released targeting this vulnerability.

So what, in fact, is the whole point explained by Sansec e-commerce security specialists.

To eliminate the vulnerability, Adobe removed the "smart" mail templates and replaced the old mail template variable converter with a new one to prevent potential attacks by embedding.

However, this step took many vendors by surprise, and some of them had to return to the original functionality.

At the same time, they exposed themselves to a critical vulnerability despite the fact that they applied the latest security fix.

Experts have observed how some vendors have tried to reintroduce the functionality of an outdated recognizer into Magento work stores, either by redefining the functionality of the new recognizer, or by copying code from older versions of Magento and using it as a preference.

The company said that a number of vendors still tried to reduce security risks by adding basic filtering of unsafe user data to the order systems.

However, these steps did not prevent exploitation, because the vulnerability can be activated from other subsystems if they concern email.

Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.

Comments:

This publication has no comments yet. You can be the first!

Information the publication:

  • Author of the publication: AdequateSchizo
  • Date of publication: 23 January 2023 12:33
  • Publication category(s): Information security
  • Number of views of the publication: 139
  • Number of comments to the publication: 0

Related News

16 January 2023
Information security
At least 29 security

At least 29 security vulnerabilities have been fixed by Adobe developers in their corporate product line,

Read more
23 January 2023
Information security
Oracle has announced the

Oracle has announced the release of the first critical update in 2023, which includes 327 new security fixes. At

Read more
21 November 2022
XenForo forum platform»,XenForo Releases
XenForo 2.0.8

XenForo 2.0.8 is now available for download, which aims to solve a security problem due to a potential

Read more
16 January 2023
Information security
Thousands of Citrix ADC

Thousands of Citrix ADC and Gateway servers remain vulnerable to two major vulnerabilities fixed recently.

Read more
15 January 2023
Information security
Synology has eliminated

Synology has eliminated a critical vulnerability in VPN routers

Read more

Information

Users of 🆅🅸🆂🅸🆃🅾🆁 are not allowed to comment this publication.

Site Search

Site Menu


☑ Websites Scripts

Calendar

«    December 2024    »
MonTueWedThuFriSatSun
 1
2345678
9101112131415
16171819202122
23242526272829
3031 

Advertisement

Survey on the website

Evaluate the work of the site
 

Statistics

  • +6 Total articles 6751
  • +18 Comments 4239
  • +32 Users : 6079