A newly disclosed vulnerability called “PolyShell” affects all Magento Open Source and Adobe Commerce 2 installations, allowing unauthenticated attackers to upload polyglot files that can enable remote code execution or stored XSS leading to account takeover. Adobe’s fix is currently only available in the 2.4.9 second alpha while Sansec warns the exploit method is already circulating and urges immediate mitigations like restricting access to pub/media/custom_options and scanning for shells. #PolyShell #Magento
Keypoints
- PolyShell lets unauthenticated users upload files via Magento’s REST API custom options, potentially enabling RCE or stored XSS account takeover.
- The vulnerability arises from processing a base64-encoded file_info object and writing files to pub/media/custom_options/quote/.
- Sansec reports the exploit method is circulating and expects automated attacks soon, though no active exploitation has been observed yet.
- Adobe has issued a fix only in the 2.4.9 second alpha, leaving production versions unpatched for now.
- Administrators should restrict access to pub/media/custom_options, verify nginx/Apache rules, and scan stores for uploaded shells or backdoors.