Background
Security vulnerabilities in Magento and its extension ecosystem are identified through two routes: deliberate targeted research during security audits, and investigation of anomalous behaviour encountered during incident response or routine code review. This case study covers the principal disclosures across both.
CosmicSting — CVE-2024-34102
The most significant disclosure. CosmicSting is a critical XXE (XML External Entity) vulnerability in Adobe Commerce’s REST API affecting Magento 2.4.7 and below without the July 2024 security patches. Exploited successfully, it allows an unauthenticated attacker to read arbitrary files from the server — including app/etc/env.php, which contains database credentials, encryption keys, and API secrets.
In practice, exploitation leads to full store compromise: database access, decryption of customer data, and the ability to inject malicious code into the checkout flow.
Responsible disclosure contribution: Contributed to the analysis and community remediation effort. Built and operated the CosmicSting Validator — a free tool that tested whether a Magento store had applied the patch by checking for the specific vulnerability condition via a safe probe. The tool scanned over 6,500 stores and identified more than 2,300 vulnerable instances, enabling operators to patch before active exploitation.
The responsible outreach component involved directly contacting merchants identified as vulnerable who appeared not to have patched — ranging from small businesses to multi-site enterprise operations.
Amasty — Stored XSS Collection
Identified a collection of stored XSS vulnerabilities across multiple Amasty Magento 2 extensions. The vulnerabilities allowed injection of malicious scripts into the Magento admin panel and, in several cases, into customer-facing pages — potentially enabling admin account compromise, customer session hijacking, and checkout manipulation.
Disclosed privately to Amasty’s security team with full reproduction steps and proof-of-concept payloads. Patches shipped in subsequent extension releases.
Mirasvit — Stored XSS Collection
Similar collection of stored XSS vulnerabilities across Mirasvit extensions, affecting both admin panel and frontend interfaces. Same disclosure methodology: private report with full reproduction, coordinated patch timeline, and verification of the fix against the disclosed payloads before publication.
Pay360 — SQL Injection
SQL injection vulnerability in the order export functionality of a Pay360 Magento 1 extension. The export query was constructed via string concatenation against user-controlled parameters — classic pattern, high impact. Successful exploitation allows direct manipulation of database queries, potentially exposing order data, customer data, and the database schema.
Reported directly to Pay360. Patched in a subsequent release.
Additional Disclosures
Several cases of sensitive information disclosure against active Magento merchants — publicly accessible PHP files including configuration data, database credentials, payment gateway API keys, and session logs. Reported directly to the merchant in each case with no public disclosure.
Disclosure Process
Responsible disclosure requires precision and patience. A finding is only useful if it can be reproduced and understood by the receiving team. Each disclosure report includes:
- Detailed reproduction steps (with proof-of-concept where retained until patch)
- Root cause analysis tracing the vulnerability to the specific code
- Severity assessment under CVSS
- Recommended remediation approach
- Verification methodology for the fix
Disclosure timelines vary by vendor responsiveness and the complexity of the fix. Where vendors have not responded within a reasonable window, limited public disclosure has been made to protect the community.
Impact
The practical impact of vendor disclosures extends beyond the specific stores operated by the disclosing researcher — vendor patches protect every site running the affected extension or platform version. The CosmicSting outreach effort contributed directly to patching of stores that might otherwise have remained in the vulnerable window for months, given the volume of unpatched instances identified.