CVE-2022-24086— Adobe Commerce checkout improper input validation leads to remote code execution
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-24086
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Adobe Commerce checkout improper input validation leads to remote code execution
Source: NVD (National Vulnerability Database)
Vulnerability Description
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Adobe Magento 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Adobe Magento是美国奥多比(Adobe)公司的一套开源的PHP电子商务系统。该系统提供权限管理、搜索引擎和支付网关等功能。 Adobe Magento 存在输入验证错误漏洞,该漏洞源于输入验证不当。攻击者可利用该漏洞向应用程序发送专门设计的请求,并在目标系统上执行任意代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Adobe | Magento Commerce | unspecified ~ 2.4.3-p1 | - |
II. Public POCs for CVE-2022-24086
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | CVE-2022-24086 about Magento RCE | https://github.com/Mr-xn/CVE-2022-24086 | POC Details |
| 2 | CVE-2022-24086 RCE | https://github.com/nanaao/CVE-2022-24086-RCE | POC Details |
| 3 | None | https://github.com/NHPT/CVE-2022-24086-RCE | POC Details |
| 4 | Verifed Proof of Concept on CVE-2022-24086 | https://github.com/oK0mo/CVE-2022-24086-RCE-PoC | POC Details |
| 5 | None | https://github.com/seymanurmutlu/CVE-2022-24086-CVE-2022-24087 | POC Details |
| 6 | PoC of CVE-2022-24086 | https://github.com/akr3ch/CVE-2022-24086 | POC Details |
| 7 | Proof of concept of CVE-2022-24086 | https://github.com/pescepilota/CVE-2022-24086 | POC Details |
| 8 | CVE-2022-24086 POC example | https://github.com/BurpRoot/CVE-2022-24086 | POC Details |
| 9 | An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document. | https://github.com/rxerium/CVE-2022-24086 | POC Details |
| 10 | Magento 2 patch for CVE-2022-24086. Fix the RCE vulnerability and related bugs by performing deep template variable escaping. If you cannot upgrade Magento or cannot apply the official patches, try this one. | https://github.com/wubinworks/magento2-template-filter-patch | POC Details |
| 11 | Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-24086.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-24086
请登录查看更多情报信息。
- https://helpx.adobe.com/security/products/magento/apsb22-12.htmlx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2022-24086
Same Patch Batch · Adobe · 2022-02-16 · 18 CVEs total
| CVE-2022-23188 | 7.8 HIGH | Adobe Illustrator Buffer Overflow could lead to Arbitrary code execution |
| CVE-2022-23186 | 7.8 HIGH | Adobe Illustrator Out-of-bounds Write could lead to Arbitrary code execution |
| CVE-2022-23203 | 7.8 HIGH | Adobe Photoshop Buffer Overflow could lead to Arbitrary code execution |
| CVE-2022-23202 | 7.0 HIGH | Adobe Creative Cloud Desktop Uncontrolled Search Path Element Arbitrary code execution |
| CVE-2022-23195 | 5.5 MEDIUM | Adobe Illustrator Out-of-bounds Read could lead to Memory leak |
| CVE-2022-23204 | 5.5 MEDIUM | Adobe Premiere Rush JPEG File Parsing Out-Of-Bounds Read Information Disclosure Vulnerabil |
| CVE-2022-23197 | 5.5 MEDIUM | Adobe Illustrator Out-of-bounds Read could lead to Memory leak |
| CVE-2022-23199 | 5.5 MEDIUM | Adobe Illustrator NULL Pointer Dereference Application denial-of-service |
| CVE-2022-23198 | 5.5 MEDIUM | Adobe Illustrator NULL Pointer Dereference Application denial-of-service |
| CVE-2022-23196 | 5.5 MEDIUM | Adobe Illustrator Out-of-bounds Read could lead to Memory leak |
| CVE-2022-23192 | 5.5 MEDIUM | Adobe Illustrator Out-of-bounds Read could lead to Memory leak |
| CVE-2022-23194 | 5.5 MEDIUM | Adobe Illustrator Out-of-bounds Read could lead to Memory leak |
| CVE-2022-23191 | 5.5 MEDIUM | Adobe Illustrator Out-of-bounds Read could lead to Memory leak |
| CVE-2022-23190 | 5.5 MEDIUM | Adobe Illustrator Out-of-bounds Read could lead to Memory leak |
| CVE-2022-23189 | 5.5 MEDIUM | Adobe Illustrator NULL Pointer Dereference Application denial-of-service |
| CVE-2022-23193 | 5.5 MEDIUM | Adobe Illustrator Out-of-bounds Read could lead to Memory leak |
| CVE-2022-23200 | Adobe After Effects 3GP File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerabili |
IV. Related Vulnerabilities
Same product: Magento Commerce
- CVE-2023-38208
Validate Your Inputs | Improper Neutralization of Special El - CVE-2023-38209
Adobe Commerce Incorrect Authorization Security feature bypa - CVE-2023-29292
Server Side Request Forgery (SSRF) in FedEx carrier integrat - CVE-2023-29296
[Cloud] Customer suspects IDOR vulnerability - CVE-2023-29294
Bypass Purchase Order Approval using Company User in Adobe C
Same vendor: Adobe
- CVE-2026-34632
Photoshop Installer | CWE-427: Uncontrolled Search Path Elem - CVE-2026-27297
Adobe Framemaker | Integer Underflow (Wrap or Wraparound) (C - CVE-2026-27300
Adobe Framemaker | Access of Uninitialized Pointer (CWE-824) - CVE-2026-27296
Adobe Framemaker | Integer Underflow (Wrap or Wraparound) (C - CVE-2026-27290
Adobe Framemaker | Untrusted Search Path (CWE-426)
Same weakness: CWE-20
V. Comments for CVE-2022-24086
No comments yet