Magento stores vulnerable to ‘PolyShell’ exploit

As reported by Bleeping Computer, a critical vulnerability named "PolyShell" has been disclosed, impacting all stable versions of Magento Open Source and Adobe Commerce. This flaw permits unauthenticated code execution and account takeover, posing a significant risk to online retailers.

The "PolyShell" vulnerability stems from how Magento's REST API handles file uploads for cart item custom options. Specifically, when a product option is set to type "file," the system processes an embedded file_info object containing base64-encoded data. This allows attackers to upload a polyglot file, which can act as both an image and a script, to the server's pub/media/custom_options/quote/ directory. Depending on server configuration, this can lead to remote code execution or account takeover through stored cross-site scripting (XSS). While Adobe has released a fix in an alpha version of 2.4.9, production versions remain vulnerable. eCommerce security firm Sansec warns that exploit methods are already circulating, anticipating automated attacks soon.

Until Adobe releases a patch for production versions, store administrators are advised to restrict access to the custom options upload directory and verify their web server configurations. Scanning for existing malware is also recommended.

Source: Bleeping Computer