Start a Project

Client Login

menu menu

All Categories

Adobe Commerce, E-Commerce, Magento, News

CosmicSting: Unauthorized XXE Vulnerability

17 Jul 2024

Albert Wood

A critical security vulnerability named “CosmicSting” is not just a potential threat, but an urgent and immediate danger to millions of Adobe Commerce and Magento websites. To prevent potentially catastrophic attacks, it’s not just crucial, it’s imperative that you patch your website immediately.

Sansec, a cybersecurity firm, reports that approximately 75% of websites using these eCommerce platforms have yet to implement the patch for CosmicSting. Failure to do so could lead to XML external entity injection (XXE) and remote code execution (RCE) attacks, potentially causing data breaches, financial losses, and damage to your business reputation. The financial losses could result from potential lawsuits, loss of customer trust, and the cost of recovering from a data breach.

“CosmicSting, officially identified as CVE-2024-34102, is the most severe bug to impact Magento and Adobe Commerce stores in the past two years,” says Sansec. This flaw has a critical severity rating with a CVSS score of 9.8.

Affected Product Versions

Magento Open Source: 2.4.7 and earlier (including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8)
Adobe Commerce: 2.4.7 and earlier (including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8)
Adobe Commerce Extended Support: 2.4.3-ext-7 and earlier, 2.4.2-ext-7 and earlier, 2.4.1-ext-7 and earlier, 2.4.0-ext-7 and earlier, 2.3.7-p4-ext-7 and earlier
Adobe Commerce Webhooks Plugin: versions 1.2.0 to 1.4.0

Despite Adobe’s efforts to withhold technical details in their bulletin to prevent active exploitation, Savvy developers can reproduce the attack by studying the patch code.

Given the high severity and ease of executing this vulnerability, Sansec believes CosmicSting has the potential to cause significant damage. It could possibly become one of the most destructive attacks in eCommerce history, rivaling past threats like “Shoplift,” “Ambionics,” and “Trojan Order.”

Recommended Fixes

Adobe has released patches for CVE-2024-34102, and eCommerce platform administrators should update their systems to the following versions as soon as possible. These patches include specific fixes for the identified vulnerabilities and additional security measures to prevent future exploits.

Magento Open Source: 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
Adobe Commerce: 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
Adobe Commerce Extended Support: 2.4.3-ext-8, 2.4.2-ext-8, 2.4.1-ext-8, 2.4.0-ext-8, 2.3.7-p4-ext-8
Adobe Commerce Webhooks Plugin: version 1.5.0

It is crucial that you schedule this patch with ioVista’s Magento 2 certified developers immediately to ensure your Magento Adobe Commerce Website is secure and protected from this significant threat. Immediate action is necessary.

Albert Wood

Albert Wood is an accomplished eCommerce Business Analyst. As a technology futurist and sales motivator at ioVista, Albert is dedicated to transforming struggling eCommerce businesses into thriving enterprises. With a keen focus on client’s business processes, user experience (UX), and leveraging the power of digital marketing, he helps businesses optimize their online presence and drive sustainable growth. Albert’s passion is for virtual reality (VR), augmented reality (AR), and mixed reality (MR), immersing himself in unforgettable experiences and exploring the limitless possibilities they offer. His enthusiasm for these emerging technologies fuels his drive to push the boundaries of innovation in eCommerce.

CosmicSting: Unauthorized XXE Vulnerability

Affected Product Versions

Recommended Fixes

Get in Touch

Popular Posts

Let’s work together to create outstanding digital experiences.