- Adobe has corrected a critical web flaw in trade and Magento
- The bug, called Sessionperper, marked 9.1 / 10 and affects several versions
- Researchers warn the Hotfix disclosed can help attackers
Adobe has corrected critical vulnerability in its open source trade and Magento platforms which could lead to a complete account of the account.
In a recently published security notice, Adobe said that he had corrected a vulnerability to validate inappropriate entries (CWE-20) affecting the serviceinputprocessor of the web API.
In other words, it allows the requests for malicious and poorly validated APIs to bypass the security controls. The researchers nicknamed the IT session.
The most serious defect of all time
The bug is now followed under the name of CVE-2025-54236 and has received a gravity score of 9.1 / 10 (critic) on the National Vulnerability Database (NVD).
Vulnerable versions include 2.4.9-Alpha2, 2.4.8-P2, 2.4.7-P7, 2.4.6-P12, 2.4.5-P14, 2.4.4-P15 and earlier, indicates the NVD page.
“A successful attacker can abuse this to achieve the takeover of session, increase confidentiality and the impact of integrity to high exploitation. The exploitation of this problem does not require user interaction. ” Adobe Commerce on Cloud customers is protected by a web application firewall (WAF), confirmed the company.
Society affirms that it is not aware of any feat in nature but, according to Bleeping Compomputedescribes it as a “most serious” defect in the history of the platform.
A corrective was published on September 9 and customers are invited to apply it without delay. “Please apply the Hotfix as soon as possible. If you don’t, you will be vulnerable to this security problem, and Adobe will have limited means to help resolve,” warned Adobe.
Although there is no evidence of abuse in the will, the security outfit Sansec said that the initial Hotfix of Sessionperper had been disclosed a few days ago, which could allow malicious actors to reverse the engineer and find additional holes to exploit, Bleeping Compompute reported.
At the same time, some researchers think that the deployment of the correction could break an external code break because it deactivates certain Magento features.
Via Bleeping Compompute
