好,我现在需要帮用户总结这篇文章的内容,控制在100个字以内。首先,我得通读全文,抓住主要信息。 文章讲的是Sansec发现了一个漏洞,叫做PolyShell,影响了Magento和Adobe Commerce的REST API。这个漏洞允许未经认证的文件上传和潜在的XSS攻击。问题存在于2.4.9-alpha2之前的版本中,而且Adobe还没提供补丁。 接下来,我需要提取关键点:漏洞名称、影响范围、攻击方式、受影响版本、修复情况以及风险。然后把这些信息浓缩成简短的句子,确保不超过100字。 可能会遇到的问题是信息太多,无法全部包含进去。所以要优先保留最重要的内容:漏洞名称、影响的产品、攻击类型、版本范围以及修复情况。 最后,组织语言,确保流畅且符合要求。 </think> Sansec发现Magento和Adobe Commerce REST API存在PolyShell漏洞,允许未认证用户上传可执行文件并可能引发XSS攻击。该漏洞影响2.4.9-alpha2及以下版本,尚未提供补丁。 2026-3-21 10:9:50 Author: securityaffairs.com(查看原文) 阅读量:6 收藏
PolyShell flaw exposes Magento and Adobe Commerce to file upload attacks
Sansec found a Magento and Adobe Commerce REST API flaw, named PolyShell, which allows unauthenticated file uploads and possible XSS in older versions.
Sansec disclosed a critical flaw in the Magento and Adobe Commerce REST API that allows attackers to upload executable files without authentication. The issue affects versions up to 2.4.9-alpha2 and could also enable XSS in releases prior to 2.3.5, exposing many online stores to compromise.
“A new vulnerability in the Magento and Adobe Commerce REST API allows attackers to upload executable files to any store. Adobe fixed the issue in a pre-release version but has not backported the patch.” reads the advisory by Sansec. “Many stores run web server configurations that enable either remote code execution (RCE) or account takeover (stored XSS).”
The name “PolyShell” stems from the use of a polyglot (code disguised as an image).
Magento’s REST API allows file uploads via cart item options by processing base64-encoded data and saving it to a server directory. This affects REST only, as GraphQL uses a different, non-vulnerable path.
“Magento’s REST API accepts file uploads as part of the cart item custom options. When a product option has type “file”, Magento processes an embedded file_info object containing base64-encoded file data, a MIME type, and a filename. The file is written to pub/media/custom_options/quote/ on the server.” continues the report. “GraphQL mutations use a different code path and are not vulnerable.”
The vulnerability has existed since Magento 2’s first release and was only addressed in the 2.4.9 pre-release (APSB25-94), with no standalone patch for current production versions. While Adobe suggests configurations to reduce risk, many stores use custom setups that leave upload directories exposed.
“The vulnerable code has existed since the very first Magento 2 release. Adobe fixed it in the 2.4.9 pre-release branch as part of APSB25-94, but no isolated patch exists for current production versions.” continues the report. “While Adobe provides a sample web server configuration that would largely limit the fallout, the majority of stores use a custom configuration from their hosting provider.”
Even if execution is blocked, malicious files remain on disk and could become active after future configuration changes or migrations.
Sansec pointed out that no official patch is available yet for production Magento versions, so mitigation is key. Organizations should block attacks in real time with a WAF, restrict access to upload directories via proper server configuration, and scan systems for compromise. Note that blocking access alone doesn’t stop malicious uploads, making active protection essential.
Sansec has not seen active exploitation yet, but the exploit is already circulating, and automated attacks are likely to emerge soon.
Magento-powered e-stores are a prime target for hackers. This week, cybersecurity firm Netcraft reported that, since February 27, a large-scale campaign has defaced over 7,500 Magento sites, targeting e-commerce platforms, global brands, and government services. Attackers placed plaintext defacement files across more than 15,000 hostnames, directly compromising affected infrastructure.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, PolyShell)
如有侵权请联系:admin#unsafe.sh