10

CVE-2022-24086

Warning

Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.

Data is provided by the National Vulnerability Database (NVD)
AdobeCommerce Version < 2.3.0
AdobeCommerce Version > 2.3.3 <= 2.3.6
AdobeCommerce Version >= 2.4.0 <= 2.4.2
AdobeCommerce Version2.3.7 Updatep1
AdobeCommerce Version2.3.7 Updatep2
AdobeCommerce Version2.4.3 Update-
AdobeCommerce Version2.4.3 Updatep1
MagentoMagento SwEditioncommerce Version < 2.3.0
MagentoMagento SwEditioncommerce Version > 2.3.3 <= 2.3.6
MagentoMagento SwEditioncommerce Version >= 2.4.0 <= 2.4.2
MagentoMagento Version2.3.7 Updatep1 SwEditioncommerce
MagentoMagento Version2.3.7 Updatep2 SwEditioncommerce
MagentoMagento Version2.4.3 Update- SwEditioncommerce
MagentoMagento Version2.4.3 Updatep1 SwEditioncommerce

15.02.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability

Vulnerability

Adobe Commerce and Magento Open Source contain an improper input validation vulnerability which can allow for arbitrary code execution.

Description

Apply updates per vendor instructions.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 90.34% 0.996
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 10 10 10
AV:N/AC:L/Au:N/C:C/I:C/A:C
psirt@adobe.com 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.