On October 15, 2020, the latest versions of Magento Commerce and Open Source2.4.1, 2.3.6, and 2.4.0-p1 – available to the entire Magento Community. These updates solve the vulnerabilities issues for Magento’s 2.3.5-p1 and 2.4.0 and earlier versions for both Commerce and Open-Source.

Adobe Magento has recently announced that the two critical vulnerabilities (CVE-2020-24407 and CVE-2020-24400) may allow arbitrary code execution and provide read or write access to the database.

Learn more with the latest Adobe Magento’s Security Bulletin.

With the retail businesses preparing for sales growth in the upcoming months, including this past week’s highly anticipated Amazon Prime Day and November’s Black Friday around the corner, the presence of critical vulnerabilities on the Magento platform could pose huge issues for Merchants!

Attackers such as the Magecart threat group have been infamous to target Adobe Magento’s eCommerce platform. With such critical vulnerabilities exposed, they could enable arbitrary code execution on affected systems.

These critical vulnerabilities put Magento in a tough spot to quickly secure any possible vulnerabilities impacting the overall security of Magento Commerce and Magento Open-Source platforms.

What did Adobe Magento announce?

On October 15th Thursday, Adobe Magento disclosed the following:

  • Two critical vulnerabilities
  • Six important rated errors
  • One moderate-severity vulnerability
 

The above-disclosed vulnerabilities would be affecting both Magento Open Source and Magento Commerce.

All About the Critical vulnerabilities Disclosed by Adobe

Two critical vulnerabilities that would allow hackers to perform arbitrary code execution.

Gaining Arbitrary Code Execution

The concern originates from the application not validating full filenames when utilizing an “allow list” way to check the file extensions.

This could permit an attacker to bypass the validation and upload a malicious file.

To exploit this flaw (CVE-2020-24407), attackers would not require pre-authentication (meaning the fault is exploitable without credentials) – however, they would need administrative privileges.

Arbitrary Read Or Write Access To A Database

Another critical flaw is an SQL injection vulnerability.

This type of web security flaw permits an attacker to intervene with the queries that an application advances to its database. An attacker without authentication and administrative privileges – could exploit this glitch to gain arbitrary read or write access to a database.

Other Critical Vulnerabilities Disclosed By Adobe Magento

Apart from the above mentioned two critical bugs, Adobe Magento also declared patches for several major improper-authorization vulnerabilities, which occur when an application does not accurately check that a user is authorized to access functionality — which could eventually expose data.

Another critical vulnerability originates from an inadequate validation of a User Session, proffering an attacker unauthorized access to restricted resources (CVE-2020-24401).

According to Magento, an attacker would require administrative rights for all of the vulnerabilities listed above but wouldn’t necessitate pre-authentication to exploit the flaw.

Lastly, an important-severity cross-site scripting flaw (CVE-2020-24408) was also declared, allowing for arbitrary JavaScript execution in the browser. To abuse this, an attacker wouldn’t require administrative rights but instead would demand credentials.

What is Adobe Magento doing to deal with these vulnerabilities?

The above-discussed vulnerabilities will specifically affect the following versions of the Magento platform:

  • Magento Commerce, versions 2.3.5-p1 and earlier and 2.4.0 and earlier;
  • Magento Open Source, versions 2.3.5-p1 and earlier and 2.4.0 and earlier.
 

To ensure no online store gets abused of these vulnerabilities or vulnerabilities, Adobe Magento has announced patches (below) in Magento Commerce and Magento Open Source versions 2.4.1 and 2.3.6. It has declared in clear words for eCommerce webstore owners and merchants to “update their installation to the newest version.”

Please note the update of these vulnerabilities is designated as priority 2, meaning they exist in a product that has historically been at high risk, but there are currently no identified exploits.

Reference: Threatpost.com

Conclusion

Magento has witnessed its share of vulnerabilities and has managed to timely put out the required updates, avoiding any breach to online stores. In July, Adobe Magento fixed two significant vulnerabilities and severity vulnerabilities that could have led to signature-verification bypass and enabled code execution. And then in April, Adobe Magento patched multiple other vulnerabilities in Magento, which could have led to information disclosure.

At Rave Digital, we would highly recommend every online merchant, and business owner installs the required updates. Or if you’re still operating your store on Magento 1, which has reached end-of-life (EOL) in June this year, contact our Magento experts to help you upgrade to Magento 2 latest version.