Adobe Systems releases fix for critical Remote Code Execution vulnerability in the e-commerce platform Magento Commerce 2 and Magento Open Source 2
Adobe’s Magento is a popular e-commerce platform. It was discovered to have four critical vulnerabilities that could allow potential hackers to remotely execute arbitrary code and even take over the Magento powered website. Adobe Systems has now released security updates that patch all the three vulnerabilities in both commercial and opensource versions of the Magento e-commerce platform.
Magento e-Commerce platform vulnerabilities CVE-2020-9689, CVE-2020-9690, CVE-2020-9691, and CVE-2020-9692:
The security researchers had discovered four vulnerabilities in both the commercial, Magento Commerce 2 Platform, and open-source, Magento Open Source 2 platform. Out of the four vulnerabilities, two were considered highly critical. The vulnerability with a unique identifier, CVE-2020-969 is a patch traversal vulnerability while the second one, CVE-2020-9692 is a security countermeasure bypass flaw. Both these vulnerabilities were highly critical and could have been exploited by potential hackers to remotely execute arbitrary code. The vulnerabilities required administrator access to be executed.
The other two, viz, CVE-2020-9690 flaw that allowed remote hackers to bypass signature verification and CVE-2020-9691 cross-site scripting (XSS) flaw were rated as medium risk. However, the XSS flaw could be exploited without administrator access for remote code execution.
All the above four vulnerabilities existed in Magento Commerce versions 2.3.5-p1 and earlier and Magento Open Source versions 2.3.5-p1 and earlier versions.
Adobe patches for the flaws:
Adobe has released “2.4.0” and “2.3.5-p2” for “Magento Commerce 2 (formerly Magento Enterprise Edition)” and “Magento Open Source 2 (formerly Magento Community Edition)”, which resolved the vulnerabilities.
If you are running Magento CMS to power your e-commerce website, you should update your installation to the latest version (2.4.0) or upgrade to Magento Commerce 2.3.5-p2 or Magento Open Source 2.3.5-p2 as soon as possible.
Please note that Adobe has already discontinued “Magento Commerce (formerly Magento Enterprise Edition) 1.14” and “Magento Open Source (formerly Magento Community Edition) 1” on June 30th and no patches or updates are available for these versions.