Cisco Merchandise Store, which offers company-branded apparel and accessories, had its website taken down after being compromise with customer information-stealing JavaScript code over the weekend, impacting operations of stores for the U.S., Europe, and Asia Pacific, Japan and China markets, reports BleepingComputer.
Such malicious JavaScript code — which is potentially targeted at exfiltrating the credentials of Cisco employees who usually use the site during the checkout process — may have been deployed through the exploitation of the critical XML external entity injection vulnerability in Adobe Commerce dubbed "CosmicSting," which could be leveraged to enable private data reading, according to unnamed researchers who discovered the incident. Further analysis of the deobfuscated script revealed that it could also facilitate the theft of phone numbers, email addresses, postal addresses, and credit card details. Cisco has not yet provided any statement regarding the compromise of its gift shop site.
