CVE-2022-24086
Magento improper input validation vulnerability
9.8
CRITICAL
CVSS 3.1
⚠ KEVEPSS 93.7%
Description
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.
How to fix CVE-2022-24086
To remediate CVE-2022-24086, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.0 or later
- —upgrade to 2.3.7-p3 or later
Is CVE-2022-24086 being exploited?
Yes — CVE-2022-24086 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.
Affected packages (2)
- from 0, < 2.3.0 | >= 2.3.3, <= 2.3.6, >= 2.3.7-p1, <= 2.3.7-p1, >= 2.3.7-p2, <= 2.3.7-p2, >= 2.4.0, <= 2.4.2, >= 2.4.3-p1, <= 2.4.3-p1, >= 2.4.3, <= 2.4.3
- >= 2.3.3-p1, < 2.3.7-p3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |