Nine vulnerabilities were added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) catalog of known exploited vulnerabilities this week, with two carrying a remediation date of March 1.
The two vulnerabilities — CVE-2022-24086 and CVE-2022-0609 — relate to Adobe Commerce and Magento as well as Google Chrome.
Adobe released an emergency patch on Monday to tackle CVE-2022-24086, which security companies have confirmed is being exploited in the wild. The tech giant said that the vulnerability impacts Adobe Commerce and Magento Open Source. It is being weaponized “in very limited attacks targeting Adobe Commerce merchants,” according to Adobe.
The bug impacts Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), as well as earlier versions. The vulnerability has been issued a CVSS severity score of 9.8 out of 10. Adobe’s patches can be downloaded and manually applied here.
Adobe urged customers using the Magento 1 e-commerce platform to upgrade to the latest version of Adobe Commerce after security company Sansec detected a mass breach of over 500 stores running the platform. In a statement to ZDNet, Adobe said it ended support for Magento 1 on June 30, 2020.
“We continue to encourage merchants to upgrade to the latest version of Adobe Commerce for the most up-to-date security, flexibility, extensibility, and scalability,” an Adobe spokesperson said.
“At a minimum, we recommend Magento Open Source merchants on Magento 1 to upgrade to the latest version of Magento Open Source (built on Magento 2), to which Adobe contributes key security updates.”
The other issue given a remediation date of March 1 is a Google Chrome Use-After-Free vulnerability. Google released a fix for the issue on Monday and said it was reported on February 10 by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group.
“Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild,” Google Chrome’s Srinivas Sista added.
The rest of the vulnerabilities on the list have remediation dates of August 15.
CISA has increased the number of times they update the known exploited vulnerabilities catalog, adding more and more bugs more often in 2022. Their last update was just five days ago and included one vulnerability with a remediation date of February 24.