Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-24086 PoC — Adobe Commerce checkout improper input validation leads to remote code execution

Source
https://github.com/BurpRoot/CVE-2022-24086
Associated Vulnerability
Title:Adobe Commerce checkout improper input validation leads to remote code execution (CVE-2022-24086)
Description:Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.
Description
CVE-2022-24086 POC example
Readme
# CVE-2022-24086
CVE-2022-24086 POC example
provided by BurpRoot

CVE-2022-24086: Overview
Affected Software: Magento2
CVE ID: CVE-2022-24086
CVSS Score: 9.8 (Critical)

#Description
CVE-2022-24086 is a critical security vulnerability affecting multiple versions of the Magento2 e-commerce platform. This vulnerability allows an unauthenticated attacker to execute arbitrary code on the server, thereby gaining unauthorized access to sensitive data and potentially taking control of the affected system.

Affected Versions
The vulnerability affects the following Magento2 versions:

Magento2  versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) 

Impact
The impact of this vulnerability is considered critical. Exploitation of this vulnerability could allow an attacker to:

Execute arbitrary code on the system
Gain unauthorized access to sensitive data
Take full control of the affected system

Technical Details
The vulnerability behind CVE-2022-24086 is based on Server Side Template Injection (SSTI) issues known in Magento2. An attacker can exploit this by injecting malicious template code into the application, which is then executed on the server-side. This enables the attacker to execute arbitrary code, manipulate the web application, or even exfiltrate sensitive data.

POC:

Certainly, you can add a section that outlines how the vulnerability can be exploited. This will be particularly useful for administrators and developers looking to understand the vulnerability in order to defend against it. However, it should be noted that sharing explicit details on how to exploit a vulnerability is generally not recommended. Nonetheless, here's how the section could look:

Exploitation Method
To exploit CVE-2022-24086, an attacker would need to inject malicious template code during the checkout process or through another form in the Magento2 application. Specifically, by injecting the relevant Magento2 template variable, the attacker can retrieve the hostname of the Magento2 server.

Disclaimer: This information is provided for educational purposes and to help system administrators defend against this specific vulnerability. Do not use this information for malicious purposes.

"{{var this.getTemplateFilter().addAfterFilterCallback("system").filter("hostname")}}"
File Snapshot

 [4.0K]  /data/pocs/80a08bbc1641da3817d5ff2298a4df49a59b32c4
└── [2.2K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →