CosmicSting Vulnerability Threatens Majority of Adobe Commerce and Magento Websites

June 20, 2024

A significant vulnerability, termed 'CosmicSting', affects Adobe Commerce and Magento websites, leaving a vast number of sites exposed to potential severe attacks. As per the statistics provided by Sansec, nearly three-quarters of websites using these affected e-commerce platforms have not yet applied the patch to protect against CosmicSting. This vulnerability puts them at risk of XML external entity injection (XXE) and remote code execution (RCE).

Sansec has described CosmicSting, also known as CVE-2024-34102, as the most severe bug to affect Magento and Adobe Commerce stores in the past two years. The vulnerability alone allows unauthorized access to private files, including those containing passwords. However, when combined with a recent bug in Linux, it results in a significant security risk of remote code execution.

The flaw, which has been rated as critical with a CVSS score of 9.8, affects specific product versions. Despite Adobe's efforts to avoid active exploitation by not including technical details in its bulletin, effective attack methods can be inferred from the patch code. Sansec's analysts used this information to reproduce the attack.

Given its severity and the simplicity of deducing effective attack paths, Sansec predicts that CosmicSting has the potential to become one of the most damaging attacks in e-commerce history, alongside 'Shoplift', 'Ambionics', and 'Trojan Order'.

Adobe has released fixes for CVE-2024-34102 with certain versions, and e-commerce platform administrators are urged to apply these as soon as possible. Sansec advises site administrators to switch to 'Report-Only' mode before upgrading to prevent an issue that could disrupt checkout functionality.

If upgrading is not immediately possible, two measures are recommended. First, administrators should check if their Linux system uses a glibc library vulnerable to CVE-2024-2961, and upgrade as necessary. Second, an 'emergency fix' code should be added to 'app/bootstrap.php' to block most CosmicSting attacks. However, the effectiveness and safety of this fix cannot be guaranteed, so it should be used at one's own risk.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.