Critical flaws in Adobe’s Magento e-commerce platform – which is commonly targeted by attackers like the Magecart cybergang – could enable arbitrary code execution on affected systems.
Magento is a popular, Adobe-owned open-source e-commerce platform that powers many online shops. Adobe on Tuesday released security updates for flaws affecting Magento Commerce 2 and Magento Open Source 2, versions 2.3.5-p1 and earlier. These included two critical vulnerabilities and two important-severity flaws.
“Successful exploitation could lead to arbitrary code execution and signature verification bypass,” according to Adobe.
The critical flaws include a path traversal flaw (CVE-2020-9689) that could enable arbitrary code execution. Path traversal attacks essentially allow attackers to trick a web application into reading the files and directories that are stored outside the web root folder. Another critical vulnerability (CVE-2020-9692) is a security mitigation bypass, which could also allow arbitrary code execution. For both of these flaws, an attacker needs administrative privileges to exploit the vulnerability.
Adobe also patched an important-severity observable timing discrepancy, which could enable signature verification bypass (CVE-2020-9690). According to Mitre, an observable timing discrepancy is when two separate operations require different amounts of time to complete – in a way that is observable to an attacker – which reveals security-relevant information about the vulnerable product.
Finally, an important-severity, DOM-based cross-site scripting issue could allow arbitrary code execution. An attacker would not need to be authenticated to abuse this flaw – meaning that it is exploitable without credentials.
Users are urged to update to Magento Commerce 2 versions 2.4.0 or 2.3.5-p2, and Magento Open Source 2 versions 2.4.0 or 2.3.5-p2. The update for all vulnerabilities is a priority 2, meaning they exist in a product that has historically been at elevated risk – but for which there are currently no known exploits.
“Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days),” said Adobe.
Magento has had its share of security flaws over the past year. In April Adobe patched several critical flaws in Magento, which if exploited could lead to arbitrary code execution or information disclosure. The most serious of these include critical command infection flaws (CVE-2020-9576, CVE-2020-9578, CVE-2020-9582, CVE-2020-9583) and critical security mitigation bypass vulnerabilities (CVE-2020-9579, CVE-2020-9580). Adobe also issued patches in January as part of its overall release of the Magento 2.3.4 upgrade, giving the fixes a “priority 2” rating.
The issue also comes after Magento 1 reached end-of-life (EOL) in June, with Adobe making a last-ditch effort to urge the 100,000 online stores still running the outdated version to migrate to Magento 2. E-commerce merchants must migrate to Magento 2, which was released five years ago.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar.