CVE-2022-24086: Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability
First published: Tue Feb 15 2022(Updated: )
Adobe Commerce and Magento Open Source contain an improper input validation vulnerability which can allow for arbitrary code execution.
Credit: psirt@adobe.com psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Adobe Commerce and Magento Open Source | ||
| composer/magento/community-edition | >=2.4.0<2.4.3-p2 | 2.4.3-p2 |
| composer/magento/community-edition | >=2.3.3-p1<2.3.7-p3 | 2.3.7-p3 |
| Adobe Commerce | <2.3.0 | |
| Adobe Commerce | >2.3.3<=2.3.6 | |
| Adobe Commerce | >=2.4.0<=2.4.2 | |
| Adobe Commerce | =2.3.7-p1 | |
| Adobe Commerce | =2.3.7-p2 | |
| Adobe Commerce | =2.4.3 | |
| Adobe Commerce | =2.4.3-p1 | |
| Magento Magento | <2.3.0 | |
| Magento Magento | >2.3.3<=2.3.6 | |
| Magento Magento | >=2.4.0<=2.4.2 | |
| Magento Magento | =2.3.7-p1 | |
| Magento Magento | =2.3.7-p2 | |
| Magento Magento | =2.4.3 | |
| Magento Magento | =2.4.3-p1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2022-24086.
Which versions of Adobe Commerce and Magento Open Source are affected?
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected.
What is the severity rating of CVE-2022-24086?
CVE-2022-24086 has a severity rating of 9.8 (Critical).
How does the vulnerability manifest?
The vulnerability manifests as an improper input validation vulnerability during the checkout process.
Can this vulnerability be exploited without user interaction?
Yes, exploitation of this issue does not require user interaction.
What is the potential impact of this vulnerability?
Exploitation of this vulnerability could result in arbitrary code execution.
How can I fix CVE-2022-24086?
To fix CVE-2022-24086, update to Adobe Commerce version 2.4.3-p2 (or later) or 2.3.7-p3 (or later).
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/description
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-f8fv-f786-9933
- alias/CVE-2022-24086
- agent/remedy
- agent/author
- agent/title
- agent/severity
- collector/github-advisory
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2023-46805
- alias/CVE-2024-21887
- alias/CVE-2024-21888
- alias/CVE-2024-21893
- alias/CVE-2023-41265
- alias/CVE-2023-41266
- alias/CVE-2023-48365
- agent/weakness
- agent/references
- agent/tags
- agent/event
- agent/news-ai
- vendor/adobe
- canonical/adobe commerce
- version/adobe commerce/2.3.6
- version/adobe commerce/2.4.0
- version/adobe commerce/2.4.2
- version/adobe commerce/2.3.7-p1
- version/adobe commerce/2.3.7-p2
- version/adobe commerce/2.4.3
- version/adobe commerce/2.4.3-p1
- vendor/magento
- canonical/magento magento
- version/magento magento/2.3.6
- version/magento magento/2.4.0
- version/magento magento/2.4.2
- version/magento magento/2.3.7-p1
- version/magento magento/2.3.7-p2
- version/magento magento/2.4.3
- version/magento magento/2.4.3-p1
- canonical/adobe commerce and magento open source
- package-manager/composer