Adobe Commerce Vulnerable to OS Command Injection Attacks
Key Information
- Vendor
- Adobe
- Status
- Adobe Commerce
- Vendor
- CVE Published:
- 15 February 2024
Badges
Summary
The vulnerability identified as CVE-2024-20720 affects Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6, and earlier, allowing for OS Command Injection attacks that could lead to arbitrary code execution. It does not require user interaction for exploitation, and threat actors have been observed using this vulnerability to deploy a persistent backdoor on e-commerce websites. Attackers have combined the Magento layout parser with the beberlei/assert package to execute system commands, allowing for the injection of a fake Stripe payment skimmer to capture and send data to another compromised Magento store. Adobe has released security updates to address this vulnerability, and administrators are urged to update their websites and scan for any indicators of compromise.
Affected Version(s)
Adobe Commerce <= 2.4.4-p6
News Articles
Cyber Guardian Hub CVE-2024-20720CVE-2024-20720 Vulnerability in Adobe Commerce โ Magento
The CVE-2024-20720 affects versions of Adobe Commerce 2.4.6-p3, 2.4.5-p5, 2.4.4-p6, and earlier. It is an OS Command Injection vulnerability
8 months ago
unSafe.sh CVE-2024-20720Magento flaw exploited to deploy persistent backdoor hidden in XML
Magento flaw exploited to deploy persistent backdoor hidden in XML
8 months ago
The Hacker News CVE-2024-20720Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites
Exploit alert for Magento users! A critical flaw, CVE-2024-20720, allows threat actors to sneak a persistent backdoor into e-commerce sites.
8 months ago
CVSS V3.1
Timeline
Vulnerability started trending.
- ๐พ
Exploit exists.
First article discovered by null
Vulnerability published.
Vulnerability Reserved.