CVE-2022-24086 and CVE-2022-24087 - improper Input Validation vulnerability in contact form Magento Open Source and Adobe Commerce - has received a CVSS score of 9.8 out of 10, it is classified as a pre-authentication issue which means that it could be exploited without credentials.
Magento Open Source / Adobe Commerce - 2.3.3-p1 - 2.3.4
Magento Open Source / Adobe Commerce - 2.3.4-p2 - 2.4.2-p2
Magento Open Source / Adobe Commerce - 2.4.3 - 2.4.3-p1
CVE-2022-24086 was a critical, zero-day security vulnerability that affected Magento shops. The vulnerability was reported in limited attacks. Another flaw, CVE-2022-24087, has the same severity level and similar vector of attack.
After some research I found no legit and working PoC to demonstrate a severity of that flaw from Adobe and I decided to make my own. Reverse engineering of official and unofficial patches I found that in /app/code/Magento/Email/Model/Template/Filter.php input was not properly cleared and inability for the platform to recognize a combination of character types during the time of form validation, harmful sequences are allowed to wreak havoc unabated, allowing to bypass input validation methods normally used to sanitize unwanted input types. It opens up the ability for SQL and PHP object injection attacks within Magento, which can add unwanted database entries or enable remote code execution.
Some parts of added code in official patches (MDVA-43395) that lead us to PoC:
What we need to do is to craft some sophisticated payload to POST: