Get In Touch
Client Area
CVE-2024-34102 — CosmicSting Magento Vulnerability
Jun 22, 2024 | Peter Denison
- magento
- adobe
- vulnerability
- security
- patch
The recent Magento vulnerability (CVE-2024-34102) has been rated as 9.8 Critical: https://nvd.nist.gov/vuln/detail/CVE-2024-34102
We hence urge all clients and Magento site operators to immediately patch against CVE-2024-34102 if they haven't already.
Please see here for the Adobe Security bulletin:
https://helpx.adobe.com/security/products/magento/apsb24-40.html
For users who aren't able to patch immediately, there is a workaround that should block the majority of attacks (source: https://sansec.io/research/cosmicsting). This is applied by adding the following snippet to the top of app/bootstrap.php
1
2
3
4
5
if (strpos(file_get_contents('php://input'), 'dataIsURL') !== false) {
header('HTTP/1.1 503 Service Temporarily Unavailable');
header('Status: 503 Service Temporarily Unavailable');
exit;
}Thankfully Magento has not had many serious vulnerabilities discovered in recent years, but the severity of this one means that stores that aren't patched are very likely to eventually be exploited.
Please don't hesitate to reach out to support if you need a referral to a developer who can help you implement the patch or the above workaround.
You may also like:
![[BUG] Magento 2 eWay payment module breaks when upgrading to Magento > 2.4.6](/_next/image?url=https%3A%2F%2Fcdn.sanity.io%2Fimages%2Fupknx1mi%2Fproduction%2Ff44804712e9120a3c25e971f9eba1e1c95bcb4cd-1090x511.webp%3Frect%3D34%2C0%2C1022%2C511%26w%3D800%26h%3D400&w=828&q=75)
[BUG] Magento 2 eWay payment module breaks when upgrading to Magento > 2.4.6The M.D.G. IT support team have become aware of an issue with the eWay payment gateway module breaking on upgrade to Magento versions 2.4.6 and higher...
Oct 22, 2024