Adobe has released a series of out-of-band security fixes to address multiple Magento vulnerabilities that lead to code execution, customer list tampering.
Eight of the vulnerabilities are considered either critical or important, only one is considered a moderate-severity flaw. The critical flaws are tracked as CVE-2020-24407 and CVE-2020-24400.
Below the list of affected versions:
|Magento Commerce||2.3.5-p1 and earlier versions||All|
|Magento Commerce||2.4.0 and earlier versions||All|
|Magento Open Source||2.3.5-p1 and earlier versions||All|
|Magento Open Source||2.4.0 and earlier versions||All|
One of the critical flaws addressed by Adobe is a file upload issue that can allow list bypass. Another critical SQL injection issue can lead to the execution of arbitrary code or arbitrary read/write database access. Both issues require an attacker to have already obtained admin privileges.
Adobe has also addressed a vulnerability, tracked as CVE-2020-24402, that can allow attackers to manipulate and modify customer lists.
Other flaws fixed by Adobe include a stored cross-site scripting (XSS) issue (CVE-2020-24408), a user session invalidation bug (CVE-2020-24401), and a security vulnerability that allows Magento CMS pages to be modified without permission (CVE-2020-24404). The company also addressed two restricted resource access bugs, tracked as CVE-2020-24405 and CVE-2020-24403 respectively, and unintended disclosure of a document root path that could lead to sensitive information disclosure (CVE-2020-24406).
This week, Adobe has also released a security update to address a critical remote code execution flaw in Adobe Flash Player (CVE-2020-9746) that could be exploited by threat actors by tricking the victims into visiting a website.
Attackers could exploit this flaw by simply inserting malicious strings in HTTP responses while unaware users visit a website.
(SecurityAffairs – hacking, Adobe)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.