The bug, with a severity rating of CVSS 9.8 out of 10, can be used to read any files, including passwords and other secrets. “The typical attack strategy is to steal your secret crypt key from app/etc/env.php and use that to modify your CMS blocks via the Magento API,” Sansec said. “Then, attackers inject malicious Javascript to steal your customer’s data.”
Combined with another bug (CVE-2024-2961), attackers can also run code directly on customers’ servers and use that to install backdoors, the cybersecurity firm added.
Versions of Magento and Adobe Commerce vulnerable to a CosmicSting attack include 2.4.7 and earlier, 2.4.6-p5 and earlier, 2.4.5-p7 and earlier, and 2.4.4-p8 and earlier. Enterprises are advised to immediately patch and apply hotfix for the flow.