Some vendors and users of Adobe Commerce and Magento decided to make a difficult choice between "safe" and "convenient".
As we reported, the February patch from Adobe, released to eliminate the critical vulnerability of mail templates CVE-2022-24086 (CVSS score 9.8), was actively bypassed by attackers.
In the second series of fixes, with the already new CVE identifier (CVE-2022-24087), the developers released another patch.
Around the same time, a PoC was released targeting this vulnerability.
So what, in fact, is the whole point explained by Sansec e-commerce security specialists.
To eliminate the vulnerability, Adobe removed the "smart" mail templates and replaced the old mail template variable converter with a new one to prevent potential attacks by embedding.
However, this step took many vendors by surprise, and some of them had to return to the original functionality.
At the same time, they exposed themselves to a critical vulnerability despite the fact that they applied the latest security fix.
Experts have observed how some vendors have tried to reintroduce the functionality of an outdated recognizer into Magento work stores, either by redefining the functionality of the new recognizer, or by copying code from older versions of Magento and using it as a preference.
The company said that a number of vendors still tried to reduce security risks by adding basic filtering of unsafe user data to the order systems.
However, these steps did not prevent exploitation, because the vulnerability can be activated from other subsystems if they concern email.