Vendors and agencies are actively bypassing the security patch that Adobe released in February 2022 to address CVE-2022-24086, a critical mail template vulnerability in Adobe Commerce and Magento stores, ecommerce security firm Sansec warns.
The CVE-2022-24086 bug (CVSS score of 9.8) is described as an improper input validation bug in the checkout process. It could be exploited to achieve arbitrary code execution, with in-the-wild exploitation observed roughly one week after patches were made available for it.
The initial fixes were found to be easily bypassed, and Adobe issued a second round of patches and a new CVE identifier (CVE-2022-24087) for the bug only days later. A proof-of-concept (PoC) exploit targeting the flaw was released around the same time.
To address the vulnerability, Adobe removed ‘smart’ mail templates and replaced the old mail template variable resolver with a new one, to prevent potential injection attacks.
However, the move caught many vendors off guard, and some of them “had to revert to the original functionality.” In doing so, they unknowingly exposed themselves to the critical vulnerability, despite having applied the latest security patch, Sansec explained.
The security firm has observed some vendors attempting to reintroduce the functionality of the deprecated resolver into production Magento stores, either by overriding the functionality of the new resolver, or by copying code from older versions of Magento and using it as a preference.
“We have observed this risky behavior at multiple agencies as well as extension vendors, likely to avoid the need to update their email templates to be compatible with the new [resolver],” Sansec added.
The company said some vendors attempted to mitigate security risks by adding to the ordering systems basic filtering on unsafe user inputs, but that does not prevent exploitation, given that the vulnerability can be triggered from other subsystems as well, if they touch email.