Magento software

Critical Magento Vulnerabilities Announced by Adobe

Adobe announced that it has released a patch for Magento 2 to address several critical vulnerabilities. Some of the vulnerabilities could allow attackers to take control of administrator sessions as well as grant access to customer information.

The vulnerabilities affecting the popular Magento e-commerce platform affect both the open source and the commercial versions.

According to the Magento Open Source Release Notes:

Thirty-three security enhancements that help eliminate remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities

No confirmed attacks related to these issues have taken place to date.

However, some vulnerabilities can potentially be exploited to access customer information or take control of administrator sessions. “

Advertising

Continue reading below

Vulnerabilities Fixed in Magento Ecommerce Platform

Adobe has announced the release of Magento 2.4.3 which contains a total of 33 security enhancements.

These security issues affect both the commercial and open source versions of Magento.

Commercial versions of Magento affected:

  • 2.4.2 and earlier versions
  • 2.4.2-p1 and earlier versions
  • 2.3.7 and earlier versions

Open Source versions of Magento concerned:

  • 2.4.2-p1 and earlier versions
  • 2.3.7 and earlier versions

Advertising

Continue reading below

Magento Critical Security Issues

Several security issues are considered critical.

It should be noted in particular that of the sixteen security vulnerabilities announced by Adobe, ten of them do not require any administrator or user credentials to operate Magento.

The six remaining vulnerabilities require that an attacker already has administrator level privileges.

Eleven of the vulnerabilities are rated as critical and the rest as important.

Eleven critical vulnerabilities in Magento

While not all vulnerabilities should be ignored, those classified as critical are relatively particularly dangerous.

There are four types of vulnerabilities:

  1. Execution of arbitrary code (7 vulnerabilities)
  2. Bypass the safety function (2)
  3. Denial of service application (1)
  4. Escalation of privileges (1)

Execution of Magento arbitrary code

The arbitrary code execution exploits affecting Magento consist of six types of attacks.

  • Inappropriate access control
  • Incorrect entry validation
  • Path crossing
  • Operating system command injection
  • Server-side query forgery (SSRF)
  • XML Injection (aka Blind XPath Injection)

Examples of Magento Security Feature Bypass Exploits

There are two types of security feature bypass issues affecting Magento which are fixed in Magento version 2.4.3.

  • Incorrect entry validation
    This type of problem is related to a failure to validate an entry that is dangerous for the software to be processed. This allows an attacker to create an unexpected entry that could lead to the execution of an arbitrary code.
  • Incorrect authorization
    An incorrect authorization exploit occurs when the software fails to properly verify whether the user has the privilege levels that the person making the entries has the correct credentials.

Advertising

Continue reading below

A common feature of the above exploits is that they allow an attacker to gain access to sensitive locations in software, allowing an attacker to execute arbitrary commands.

From Adobe’s summary:

“Magento has released updates for the Adobe Commerce and Magento Open Source editions. These updates resolve vulnerabilities deemed critical and important. Successful exploitation could lead to the execution of an arbitrary code.

Magento update version 2.4.3

It is safe to say that it is recommended to consider updating to the latest version of Magento. Adobe’s release notes indicate that there are backward compatibility issues.

Some of the changes are posted independently and can be updated that way.

Advertising

Continue reading below

Please read the full Adobe release notes in the security bulletin.

Quotes

Adobe Security Bulletin

Magento Open Source 2.4.3 Release Notes

Adobe Commerce 2.4.3 Release Notes

Minor backward incompatibility issues

Main backward compatibility issues