Most Adobe Commerce and Magento sites still vulnerable to CVE-2024-34102 "CosmicSting"

A critical vulnerability, known as "CosmicSting" and tracked as CVE-2024-34102 (CVSS score 9.8) is affecting Adobe Commerce and Magento websites.

CosmicSting allows attackers to read private files, such as those containing passwords, and can lead to remote code execution when combined with the recent iconv bug in Linux. This vulnerability is being actively exploited, putting numerous e-commerce sites at risk of severe security breaches.

This flaw remains largely unpatched even nine days after the security update's release, leaving millions of websites at significant risk of catastrophic attacks. Approximately 75% of sites using the affected platforms have not applied the necessary patches.

Affected Versions:

• Adobe Commerce 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
• Adobe Commerce Extended Suppor 2.4.3-ext-7 and earlier, 2.4.2-ext-7 and earlier, 2.4.1-ext-7 and earlier, 2.4.0-ext-7 and earlier, 2.3.7-p4-ext-7 and earlier.
• Magento Open Source: 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
• Adobe Commerce Webhooks Plugin Versions 1.2.0 to 1.4.0

To protect against this critical vulnerability, apply the fixes provided by Adobe. The updated versions addressing this flaw are:

• Adobe Commerce 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
• Adobe Commerce Extended Support: 2.4.3-ext-8, 2.4.2-ext-8, 2.4.1-ext-8, 2.4.0-ext-8, 2.3.7-p4-ext-8
• Magento Open Source: 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
• Adobe Commerce Webhooks Plugin: Version 1.5.0

For those who cannot upgrade immediately, the following temporary measures are advised:

if (strpos(file_get_contents('php://input'), 'dataIsURL') !== false) {
    header('HTTP/1.1 503 Service Temporarily Unavailable');
    header('Status: 503 Service Temporarily Unavailable');
    exit;
}