Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-24086 PoC — Adobe Commerce checkout improper input validation leads to remote code execution

Source
https://github.com/wubinworks/magento2-template-filter-patch
Associated Vulnerability
Title:Adobe Commerce checkout improper input validation leads to remote code execution (CVE-2022-24086)
Description:Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.
Description
Magento 2 patch for CVE-2022-24086. Fix the RCE vulnerability and related bugs by performing deep template variable escaping. If you cannot upgrade Magento or cannot apply the official patches, try this one.
Readme
# Magento 2 Template Filter Patch for CVE-2022-24086

**Magento 2 patch for CVE-2022-24086. Fix the RCE vulnerability and related bugs by performing deep template variable escaping. If you cannot upgrade Magento or cannot apply the official patches, try this one.**

<a href="https://www.wubinworks.com/template-filter-patch.html" target="_blank"><img src="https://raw.githubusercontent.com/wubinworks/home/master/images/Wubinworks/TemplateFilterPatch/template-filter-patch.jpg" alt="Wubinworks CVE-2022-24086 Patch" title="Wubinworks CVE-2022-24086 Patch"/></a>

## Background

[CVE-2022-24086](https://nvd.nist.gov/vuln/detail/cve-2022-24086) was discovered in the beginning of 2022. For Magento 2.4 releases, all versions <= 2.4.3-p1 are affected by this Remote Code Execution(RCE) vulnerability. 2 [official isolated patches](https://helpx.adobe.com/security/products/magento/apsb22-12.html) were released on February 2022.

However, even in late 2024, we are still receiving consultations regarding this issue and their hacked stores were identified that this vulnerability was exploited. Most observed attacks were performed by inputting a string that contains `template directive`.

The most typical ways are making use of the checkout process, triggering an email sending with the email containing user controlled fields, etc.

We release this patch due to this widespread attack and some stores still having difficulties to upgrade or apply the 2 official patches.

While making this patch as an extension, we keep compatibility in mind. So it should work on all Magento 2.4 versions.

## Features

 - Fixed the RCE caused by malicious user data
 - Fixed an [Unintended User Data Parsing Bug](https://github.com/magento/magento2/issues/39353)
 - Maintains compatibility as much as possible for old templates(see [Template Compatibility Section](#template-compatibility) below)

## Template Compatibility

Although the [official documentation](https://web.archive.org/web/20220710211400/https://developer.adobe.com/commerce/frontend-core/guide/templates/email-migration/) says "methods can no longer be called from variables from either the var directive or when used as parameters", but  as we confirmed, even in the latest version(2.4.7-p3), calling "Getter" method on Data Object and calling `getUrl` method on Email Template Object(`\Magento\Email\Model\AbstractTemplate`) are still allowed.

This patch(extension) also keeps the above features. So `{{var data_object.something}}` and `{{var data_object.getSomething()}}` are both OK and equivalent.

`getUrl` example:
```
{{var this.getUrl($store,'route_id/controller/action',[_query:[param1:$obj.param1,param2:$obj.param2],_nosid:1])}}
```

**In summary, after installing this extension:**
 - Objects which are not `\Magento\Framework\DataObject` or its child instance cannot be accessed
 - Only "Getter" methods are allowed on `\Magento\Framework\DataObject` and its child instances
 - `getUrl` method is only working on `this`


## Technical Info

### Official Approach

##### >=2.4.3-p2
Removed `LegacyResolver` to stop the RCE.
##### >=2.4.4-p2 || >=2.4.5-p1
Introduced "deferred directive with signature" for child template. We are unsure if it has any security enhancement.
##### Latest(2.4.7-p3)
Still has an unfixed bug([#39353](https://github.com/magento/magento2/issues/39353)).

### Our Approach
Use "deep template variable escaping" before the template filtering process. `LegacyResolver` will only receive escaped user data and hence can be kept.

# Requirements

**Magento 2.4**

# Installation

**`composer require wubinworks/module-template-filter-patch`**

## ♥
If you like this extension please star this repository.

You may also like: [Magento 2 patch for CVE-2024-34102(aka CosmicSting)](https://github.com/wubinworks/magento2-cosmic-sting-patch)
File Snapshot

 [4.0K]  /data/pocs/ae2fab0eddfabe804c45080c5467cb008101a206
├── [1.2K]  composer.json
├── [ 239]  COPYING.txt
├── [4.0K]  etc
│   ├── [1.9K]  di.xml
│   └── [ 389]  module.xml
├── [10.0K]  LICENSE.txt
├── [4.0K]  Model
│   ├── [4.0K]  Escaper
│   │   ├── [2.0K]  Debugger.php
│   │   └── [6.8K]  Filter.php
│   ├── [2.9K]  Escaper.php
│   ├── [2.4K]  SafeDataObject.php
│   ├── [1.4K]  SafeEmailTemplate.php
│   ├── [1.4K]  StoreUrl.php
│   └── [4.0K]  Utils
│       └── [3.1K]  SafeStringReplace.php
├── [4.0K]  Plugin
│   └── [4.0K]  Framework
│       └── [4.0K]  Filter
│           └── [3.7K]  Template.php
├── [3.7K]  README.md
└── [ 257]  registration.php

7 directories, 15 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →