CVE-2022-24086: 
PHP vulnerability analysis and mitigation

Adobe Commerce (formerly known as Magento) versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) were affected by an improper input validation vulnerability (CVE-2022-24086) discovered in early 2022. The vulnerability was identified during the checkout process and required no user interaction for exploitation. Adobe acknowledged that this vulnerability had been actively exploited in the wild (Adobe Bulletin, NVD).

The vulnerability stems from unsafe string interpolation in the templating engine of Adobe Commerce. The exploit leverages two key functions exposed to the templating engine - getTemplateFilter and addAfterFilterCallback. These functions allow attackers to obtain a reference to a 'filter' object and attach arbitrary PHP functions to it, ultimately enabling remote code execution. The vulnerability can be exploited through multiple vectors, including the checkout process and the 'Wishlist' module (Watchtowr Labs).

The vulnerability allows unauthenticated remote code execution (RCE), which is considered the most severe type of vulnerability. Its impact is comparable to the Magento Shoplift vulnerability from 2015, which led to widespread compromises of unpatched stores. The vulnerability particularly affects e-commerce platforms, potentially exposing sensitive customer and payment data (Sansec Research).

Adobe released two emergency patches: MDVA-43395 (February 13th) and MDVA-43443 (February 17th). Both patches must be applied in order for complete protection. For versions between Magento 2.3.3 and 2.3.7, manual patch application is possible. Versions below 2.3.3 are not directly vulnerable but are recommended to implement the patches, particularly the code changes affecting vendor/magento/module-email/Model/Template/Filter.php (Sansec Research).