The online e-commerce industry is currently facing a significant concern due to the recent discovery of a security vulnerability called “CosmicSting” (CVE-2024-34102), which is particularly affecting the Magento and Adobe Commerce platforms.
This critical vulnerability has the potential to pose a significant security risk, potentially compromising the data of millions of online stores on a global scale.
CosmicSting exploits a critical vulnerability that enables attackers to obtain illicit access to sensitive files, including those that contain critical passwords.
When coupled with a recent Linux flaw (CVE-2024-2961), the vulnerability can escalate to remote code execution, allowing hackers to exert complete control over compromised websites.
With that, the registration credentials of users who created an account on a compromised online store may be at risk of being stolen.
Additionally, a substantial online store with hundreds of thousands of account registrations can pose a significant privacy and security risk.
The vulnerability was first discovered by Sansec, a prominent e-commerce security firm, which has identified CosmicSting as the most grievous bug to impact Magento and Adobe Commerce platforms in the past two years.
The vulnerability has been assigned a critical CVSS score of 9.8, which underscores its significant potential for exploitation and the severe consequences it could have on businesses that depend on these platforms.
Adobe has promptly responded by issuing security upgrades for CVE-2024-34102. Nevertheless, nearly seventy-five percent of vulnerable websites have yet to implement these essential updates, despite the availability of patches.
Before applying the security updates, Sansec suggests that administrators configure their e-commerce platforms to operate in “Report-Only” mode.
Administrators and owners of e-commerce platforms are strongly encouraged to prioritize the installation of these security patches promptly in order to mitigate the risks associated with the vulnerability.