Critical Vulnerabilities in Magento Commerce Software

Background

Magento has released security updates to address several vulnerabilities affecting the Magento Commerce software, out of which three vulnerabilities are rated critical:

• PRODSECBUG-2579: Deserialisation of untrusted data - CVE-2020-3716: The vulnerability exists due to insecure input validation when processing serialised data which could lead to arbitrary code execution on the affected system.

• PRODSECBUG-2633: Security Bypass - CVE-2020-3718: The vulnerability exists due to unspecified error relating to security restrictions which will allow a remote attacker to bypass security restrictions and execute arbitrary code on the affected server.

• PRODSECBUG-2660: SQL Injection - CVE-2020-3719: The vulnerability exists due to insufficient sanitisation of user-supplied data which could allow a remote attacker to exploit this vulnerability by sending a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

For the full list of security updates released by Magento, please refer to the References section below.

Affected Products

The security patches are available for the following supported versions:

• Magento Commerce 2.3.3/2.2.10 and earlier

• Magento Open Source 2.3.3/2.2.10 and earlier

• Magento Enterprise Edition 1.14.4.3 and earlier

• Magento Community Edition 1.9.4.3 and earlier

Impact

Successful exploitation of these vulnerabilities could allow an attacker to take control of the affected system and perform malicious activities, including the ability to modify and install programs; view, change, or delete data; or create new accounts with full user access rights.

Recommendations

Magento administrators are advised to update to the latest version immediately.

References

• https://helpx.adobe.com/security/products/magento/apsb20-02.html

• https://www.bleepingcomputer.com/news/security/magento-234-fixes-critical-code-execution-vulnerabilities/