Magento software

Adobe fixes security vulnerabilities in Magento, most of which are critical

Adobe has released security updates to fix vulnerabilities in Magento and Adobe Connect.

Magento Security Updates August 2021

Magento is a popular open source e-commerce platform. Magento-backed websites are infamously targeted by Magecart cybercriminal groups (collectively named), compromised and equipped with payment card skimmers.

Adobe has released updates for Magento Commerce and Magento Open Source editions, fixing 26 CVE-numbered vulnerabilities, most of which are critical.

Of these, a number of bugs are exploitable without credentials and may allow execution of arbitrary code – although all of them are only exploitable if an attacker has administrative privileges. This last condition can be reached thanks to another of the vulnerabilities fixed in this batch: CVE-2021-36032, which allows an elevation of privileges.

None of the patched vulnerabilities are actively exploited by attackers, but since Magento is a popular target, admins are advised to install the update quickly.

Adobe Connect updates

Adobe Connect is a software suite for web conferencing, remote presentation and training delivery, and desktop sharing.

This latest security update resolves three vulnerabilities, all rated as “important”:

  • An unspecified violation of secure design principles that could allow attackers to bypass a security feature
  • Two reflected XSS bugs that could lead to execution of arbitrary code

None of these are exploited in the wild. Since Adobe Connect has never been a target for attackers, these updates can wait until more critical updates are implemented.