CVE-2024-34102 — CosmicSting Magento Vulnerability

CVE-2024-34102 — CosmicSting Magento Vulnerability

Jun 22, 2024 | Peter Denison

The recent Magento vulnerability (CVE-2024-34102) has been rated as 9.8 Critical: https://nvd.nist.gov/vuln/detail/CVE-2024-34102

We hence urge all clients and Magento site operators to immediately patch against CVE-2024-34102 if they haven't already.

Please see here for the Adobe Security bulletin:
https://helpx.adobe.com/security/products/magento/apsb24-40.html

For users who aren't able to patch immediately, there is a workaround that should block the majority of attacks (source: https://sansec.io/research/cosmicsting). This is applied by adding the following snippet to the top of app/bootstrap.php

1 2 3 4 5 if (strpos(file_get_contents('php://input'), 'dataIsURL') !== false) { header('HTTP/1.1 503 Service Temporarily Unavailable'); header('Status: 503 Service Temporarily Unavailable'); exit; }

Thankfully Magento has not had many serious vulnerabilities discovered in recent years, but the severity of this one means that stores that aren't patched are very likely to eventually be exploited.

Please don't hesitate to reach out to support if you need a referral to a developer who can help you implement the patch or the above workaround.

You may also like: