The bug, which has a severity rating of CVSS 9.8 out of 10, can be used to read any files, including passwords and other secrets. “A common attack strategy is to steal your private encryption key from app/etc/env.php and use that to modify your CMS blocks via the Magento API,” Sansec said. “Then, attackers inject malicious Javascript to steal your customer data.”
Combined with another bug (CVE-2024-2961), attackers can run code directly on customer servers and use it for back-end installations, the cyber security firm added.
Magento and Adobe Commerce versions vulnerable to CosmicSting attacks include 2.4.7 and earlier, 2.4.6-p5 and earlier, 2.4.5-p7 and earlier, and 2.4.4-p8 and earlier. Businesses are advised to install immediately and apply the hotfix to flow.
Source link