A critical vulnerability (CVE-10-2022) has been identified in the open e-commerce platform Magento, which occupies about 24086% of the market for systems for creating online stores, which allows code to be executed on the server by sending a specific request without passing authentication. The vulnerability is rated 9.8 out of 10.
The problem is caused by incorrect validation of the parameters received from the user in the checkout handler. Details of the exploitation of the vulnerability have not yet been disclosed, the fix comes down to clearing the characters in the request parameters using the regular expression "/{{.*?}}/".
The vulnerability appears in releases 2.3.3-p1 through 2.3.7-p2 and 2.4.0 through 2.4.3-p1 inclusive. The fix is ββavailable in patch form (no new fix releases have been made yet). Magento users are advised to urgently install the patch, as individual cases of using the vulnerability in question to carry out attacks on online stores have already been recorded on the Web.
Source: opennet.ru