Adobe fixes Magento flaws that can lead to code execution

4 years ago 160
BOOK THIS SPACE FOR AD
ARTICLE AD

Adobe released a series of out-of-band security fixes to address multiple Magento vulnerabilities that lead to code execution, customer list tampering.

Adobe has released a series of out-of-band security fixes to address multiple Magento vulnerabilities that lead to code execution, customer list tampering.

Eight of the vulnerabilities are considered either critical or important, only one is considered a moderate-severity flaw. The critical flaws are tracked as CVE-2020-24407 and CVE-2020-24400.

Below the list of affected versions:

ProductVersionPlatform
Magento Commerce 2.3.5-p1 and earlier versions  All
Magento Commerce 2.4.0 and earlier versions All
Magento Open Source 2.3.5-p1 and earlier versionsAll
Magento Open Source 2.4.0 and earlier versions All

One of the critical flaws addressed by Adobe is a file upload issue that can allow list bypass. Another critical SQL injection issue can lead to the execution of arbitrary code or arbitrary read/write database access. Both issues require an attacker to have already obtained admin privileges. 

Adobe has also addressed a vulnerability, tracked as CVE-2020-24402, that can allow attackers to manipulate and modify customer lists. 

Other flaws fixed by Adobe include a stored cross-site scripting (XSS) issue (CVE-2020-24408), a user session invalidation bug (CVE-2020-24401), and a security vulnerability that allows Magento CMS pages to be modified without permission (CVE-2020-24404). The company also addressed two restricted resource access bugs, tracked as CVE-2020-24405 and CVE-2020-24403 respectively, and unintended disclosure of a document root path that could lead to sensitive information disclosure (CVE-2020-24406).

This week, Adobe has also released a security update to address a critical remote code execution flaw in Adobe Flash Player (CVE-2020-9746) that could be exploited by threat actors by tricking the victims into visiting a website.

Attackers could exploit this flaw by simply inserting malicious strings in HTTP responses while unaware users visit a website.

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe)

Read Entire Article