Adobe Commerce <2.4.3-p1, <2.3.7-p2 - RCE
Title source: llmExploitation Summary
CVE-2022-24086 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 15, 2022. EIP tracks 10 public exploits from researchers including Mr-xn, oK0mo, pescepilota. A Nuclei detection template is also available.
AI-analyzed exploit summary The repository provides a description and a template injection payload for CVE-2022-24086, an RCE vulnerability in Adobe Commerce (Magento). However, it explicitly states that the provided POC is not the true exploit, and no functional exploit code is included.
Description
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.
Exploits (10)
The repository provides a description and a template injection payload for CVE-2022-24086, an RCE vulnerability in Adobe Commerce (Magento). However, it explicitly states that the provided POC is not the true exploit, and no functional exploit code is included.
This repository provides a technical analysis of CVE-2022-24086, an Improper Input Validation vulnerability in Adobe Commerce and Magento Open Source. It details the patch analysis, affected versions, and the mechanism involving email template filters but does not include functional exploit code.
This PoC demonstrates an RCE vulnerability in Magento 2.4.3 via template injection in order fields, leveraging a callback function to execute arbitrary system commands. The payload uses a reverse shell via netcat to demonstrate exploitation.
This PoC demonstrates a template injection vulnerability in Adobe ColdFusion, allowing arbitrary code execution via the `getTemplateFilter().addAfterFilterCallback` method. The provided payload executes the `whoami` command as a proof of concept.
This repository contains a README referencing a blog post about Magento and Adobe Commerce RCE vulnerabilities CVE-2022-24086 and CVE-2022-24087. No exploit code is present, only a link to an external PDF document.
This repository contains a patch for CVE-2022-24086, a template injection vulnerability in Magento 2. The code includes escaping and filtering mechanisms to mitigate the vulnerability by sanitizing user input in template filters.
This repository provides a detailed analysis of CVE-2022-24086, including references to official sources, patch information, and related GitHub issues. It does not contain exploit code but offers technical context and links to relevant resources.
The repository provides a detailed writeup and a basic proof-of-concept (PoC) for CVE-2022-24086, a critical Server-Side Template Injection (SSTI) vulnerability in Magento2. The PoC demonstrates how an attacker can inject malicious template code to execute arbitrary commands, such as retrieving the server hostname.
The repository claims to provide an exploitation tool for CVE-2022-24086 (Magento RCE) but only contains a README advertising a paid tool. No actual exploit code is provided, raising suspicions of a potential scam or trojan.
This repository contains a writeup and images describing CVE-2022-24086, an RCE vulnerability in Adobe Commerce due to improper input validation during checkout. No exploit code is provided, only documentation.
Nuclei Templates (1)
X-Magento-Tags
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H