Adobe fixes Magento flaws that can lead to code executionSecurity Affairs

Adobe released a series of out-of-band security fixes to address multiple Magento vulnerabilities that lead to code execution, customer list tampering.

Adobe has released a series of out-of-band security fixes to address multiple Magento vulnerabilities that lead to code execution, customer list tampering.

Eight of the vulnerabilities are considered either critical or important, only one is considered a moderate-severity flaw. The critical flaws are tracked as CVE-2020-24407 and CVE-2020-24400.

Below the list of affected versions:

Magento Commerce 2.3.5-p1 and earlier versions  All
Magento Commerce 2.4.0 and earlier versions All
Magento Open Source 2.3.5-p1 and earlier versionsAll
Magento Open Source 2.4.0 and earlier versions All

One of the critical flaws addressed by Adobe is a file upload issue that can allow list bypass. Another critical SQL injection issue can lead to the execution of arbitrary code or arbitrary read/write database access. Both issues require an attacker to have already obtained admin privileges. 

Adobe has also addressed a vulnerability, tracked as CVE-2020-24402, that can allow attackers to manipulate and modify customer lists. 

Other flaws fixed by Adobe include a stored cross-site scripting (XSS) issue (CVE-2020-24408), a user session invalidation bug (CVE-2020-24401), and a security vulnerability that allows Magento CMS pages to be modified without permission (CVE-2020-24404). The company also addressed two restricted resource access bugs, tracked as CVE-2020-24405 and CVE-2020-24403 respectively, and unintended disclosure of a document root path that could lead to sensitive information disclosure (CVE-2020-24406).

This week, Adobe has also released a security update to address a critical remote code execution flaw in Adobe Flash Player (CVE-2020-9746) that could be exploited by threat actors by tricking the victims into visiting a website.

Attackers could exploit this flaw by simply inserting malicious strings in HTTP responses while unaware users visit a website.

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe)

Source link

Recent articles

Advertisers Flock to Election Night, When Live TV Is the Main Event Again

The companies that buy commercial time on the major broadcast networks and cable news channels are anticipating huge interest in election coverage on...

Trump and Biden supporters describe the money worries influencing their vote and the nation’s eviction crisis could make voting more difficult for some Americans

Hi there, MarketWatchers. Don’t miss these top stories:Personal FinanceCountries that will give you a...

IndiGo will continue to honour all lease payments: CFO | News

IndiGo will continue to honour all of its lease rental payments to lessors and has not been delaying any payments, the carrier’s chief...

WOW! Disney’s Working on Interactive Audio Animatronics That Have Us FLOORED!

Disney has always pushed the envelope with its robotic...

Journalist murdered in Mexico, sixth this year: governor | Mexico

49-year-old journalist and television news show host, Arturo Alba Medina, was assassinated a few minutes after the end of his programme in Chihuahua...

Leave a reply

Please enter your comment!
Please enter your name here