Article Details

CosmicSting flaw impacts 75% of Adobe Commerce, Magento sites. A vulnerability dubbed "CosmicSting" impacting Adobe Commerce and Magento websites remains largely unpatched nine days after the security update has been made available, leaving millions of sites open to catastrophic attacks. According to Sansec's stats, roughly three out of four websites using the impacted e-commerce platforms have not patched against CosmicSting, which puts them at risk of XML external entity injection (XXE) and remote code execution (RCE). "CosmicSting (aka CVE-2024-34102) is the worst bug to hit Magento and Adobe Commerce stores in two years," says Sansec. "In itself, it allows anyone to read private files (such as those with passwords). However, combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution." The flaw, rated critical (CVSS score: 9.8), impacts the following product versions: Sansec says that despite Adobe omitting technical details on its bulletin to avoid fueling active exploitation, effective attack methods can be easily inferred from the patch code, which its analysts used for reproducing the attack. Based on the severity and low complexity of deducing effective attack paths, Sansec estimates that CosmicSting ticks all boxes to become one of the most damaging attacks in e-commerce's history, alongside "Shoplift", "Ambionics", and "Trojan Order." Apply fix or mitigation now The vendor released fixes for CVE-2024-34102 with the following versions, which e-commerce platform administrators are recommended to apply as soon as possible: Sansec recommends that site admins switch to 'Report-Only' mode before upgrading to avoid an issue that may break checkout functionality. For those who are unable to upgrade right now, they are advised to take the following two measures: First, check if you're Linux system is using a glibc library vulnerable to CVE-2024-2961 using the below command, and upgrade as required. The command below will download a C source code file, compile it, and run it on your computer to detect if you're vulnerable. Next, you need to add the following "emergency fix" code on 'app/bootstrap.php' to block most CosmicSting attacks. BleepingComputer has not tested the fix and cannot guarantee its effectiveness or safety, so use it at your own risk.