⚠ Actively exploited
Added to CISA KEV on 2022-02-15. Federal agencies required to patch by 2022-03-01. Required action: Apply updates per vendor instructions..

CVE-2022-24086

CWE-20Improper Input Validation7 documents7 sources
Severity
9.8CRITICAL
EPSS
93.6%
top 0.17%
CISA KEV
KEV
Added 2022-02-15
Due 2022-03-01
Exploit
Exploited in wild
Active exploitation observed
Affected products
4
Adobe CommerceAdobe MagentoMagento Community-edition+1 more
Timeline
KEV addedFeb 15
PublishedFeb 16
Latest updateFeb 17
KEV dueMar 1
CISA Required Action: Apply updates per vendor instructions.

Description

Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

NVDadobe/commerce2.3.32.3.6+4
CVEListV5adobe/magento_commerceunspecified2.4.3-p1+2
NVDadobe/magento2.4.02.4.2+4
Packagistmagento/community-edition2.3.3-p12.3.7-p3+1

Patches

Patch: helpx.adobe.comPatch: helpx.adobe.com

🔴Vulnerability Details

4
GHSA
Magento improper input validation vulnerability2022-02-17
OSV
Magento improper input validation vulnerability2022-02-17
CVEList
Adobe Commerce checkout improper input validation leads to remote code execution2022-02-16
VulnCheck
Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability2022

💥Exploits & PoCs

1
Nuclei
Adobe Commerce (Magento) - Remote Code Execution

📋Vendor Advisories

1
CISA
Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability2022-02-15
CVE-2022-24086 (CRITICAL CVSS 9.8) | Adobe Commerce versions 2.4.3-p1 (a | cvebase.io