M2 CVE-2022-24086 and MageCart #2016

JonLaliberte · 2022-02-14T18:45:15Z

JonLaliberte
Feb 14, 2022

I'm wondering if this is a problem for M1 as well?
Details: https://securityaffairs.co/wordpress/127999/hacking/cve-2022-24086-zero-day.html

I also saw this recently: https://sansec.io/research/naturalfreshmall-mass-hack
The root cause of the problem here is an SQL injection in a 3rd party module, but I'm wondering if there is anything that should be patched in Zend_Memory_Manager/Zend_CodeGenerator_Php_File to prevent this type of vulnerability.

Answered by Flyingmana

Feb 14, 2022

we prevented this type of vulnerability by not allowing this kind of unserialization via #1251

although it might be worth to check if the sql injection vulnerability could also apply to us

View full answer

Flyingmana · 2022-02-14T18:48:36Z

Flyingmana
Feb 14, 2022

we prevented this type of vulnerability by not allowing this kind of unserialization via #1251

although it might be worth to check if the sql injection vulnerability could also apply to us

2 replies

JonLaliberte Feb 14, 2022
Author

I believe you meant to link to #1251?

Flyingmana Feb 14, 2022

yes, I corrected it, sorry for the confusion, copied to many links recently

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

M2 CVE-2022-24086 and MageCart #2016

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

M2 CVE-2022-24086 and MageCart #2016

JonLaliberte Feb 14, 2022

Replies: 1 comment · 2 replies

Flyingmana Feb 14, 2022

JonLaliberte Feb 14, 2022 Author

Flyingmana Feb 14, 2022

JonLaliberte
Feb 14, 2022

Replies: 1 comment 2 replies

Flyingmana
Feb 14, 2022

JonLaliberte Feb 14, 2022
Author