Magento Security Release APSB25-08 [Impact Analysis]

APSB25-08 released on Feb 11th, 2025

Critical Adobe Commerce/Magento security patches have just been released (CVSS 9.4/10)

New versions: 2.4.4-p12, 2.4.5-p11, 2.4.6-p9, 2.4.7-p4, additionally 2.4.8-beta2. You should schedule an upgrade ASAP.

• Request validation was added to the Asynchronous Web API. This is a port of CVE-2023-38218, which previously received an 8.8 CVSS score (see our analysis) but is now a critical 9.4. Unauthorized attackers can take control of customer accounts. There is an isolated patch available if you cannot upgrade.
• Several stored XSS that could be exploited with admin access. Areas affected are system configuration, product edit page, customer edit page, and the dashboard.
• A locking mechanism was added to prevent coupons from being used more than their allowed limit.
• In the wake of CosmicSting, a new "extensible data re-encryption mechanism" was added to make changing your encryption key less painful. Despite Adobes claim that it is in 2.4.8-beta only, it is present in the 2.4.4 patch as well.
• A directory traversal issue was fixed that would allow admins to download arbitrary files within the var folder.
• TinyMCE was downgraded from version 7 to version 6 due to compatibility issues with OSL (thanks Fabrizio Balliano and Tu Van)

eComscan will alert you about vulnerable installations.

• Adobe release notes

Read more

• Unauthenticated file upload in Amasty Order Attributes for Magento
• Critical vulnerability in Mirasvit Cache Warmer for Magento
• Adobe patches critical Magento admin takeover via menu injection
• CosmicSting attack & defense overview
• Persistent backdoors injected on Adobe Commerce via new CosmicSting attack