Sucuri Blog

Website Security News

Vulnerability in Magento

Adobe Patches Critical Magento Vulnerabilities in Recent Update

Adobe has recently released several critical security patches for both their open source and commercial versions of their ecommerce platform. There are a total of 18 security vulnerabilities patched according to Adobe, although they list only 16 specific issues in the patch notes. Eleven of these issues are considered critical and five considered important, ranked by CWE standards. Ten of these vulnerabilities do not require any authentication whatsoever in order to be exploited, whereas the remaining six do require an admin account.

It is very common for attackers to leave malicious admin accounts in compromised websites so as to maintain access. If you’ve ever experienced a website compromise be sure to check your admin accounts for any suspicious activity.

The patched version is 2.4.3. It contains a number of additional quality and functionality fixes, however standalone security-only patches are also available for those who would prefer to stay in their old version. Website owners should patch their websites as soon as possible.

Vulnerability Details

The sixteen vulnerabilities patched in the most recent update cover the following issues:

  • Business Logic Error, which could allow for security feature bypass.
  • Stored Cross-site Scripting, which could allow for arbitrary code execution.
  • Improper Access Control, which could allow for arbitrary code execution.
  • Improper Authorization, which could allow for security feature bypass.
  • Improper Input Validation, which could allow for application denial of service, privilege escalation, security feature bypass and arbitrary code execution.
  • Path Traversal, which could allow for arbitrary code execution.
  • OS Command Injection, which could allow for arbitrary code execution.
  • Incorrect Authorization, which could allow for arbitrary file system read.
  • Server-Side Request Forgery, which could allow for arbitrary code execution.
  • XML Injection, which could allow for arbitrary code execution.

One important point to note about these vulnerabilities is that some of them require no kind of authentication at all which makes them extremely dangerous and that is one of the reasons most are classified as critical.

It is unclear whether or not Magento1 installations are affected, but Magento2 certainly are. All CVE records associated with the vulnerabilities are currently marked as Reserved and details on exactly what the vulnerabilities are and how they are exploited are not yet publicly available.

As details emerge in the coming weeks regarding how these vulnerabilities are executed we will be working with our research teams to ensure the best possible protection for users of our website firewall.

About Ben Martin

Ben Martin is a security analyst and researcher who joined the company in 2013. Ben's main responsibilities include finding new undetected malware, identifying trends in the website security world, and, of course, cleaning websites. His professional experience covers more than eight years of working with infected websites, writing blog posts, and taking escalated tickets. When Ben isn't slaying malware, you might find him editing audio, producing music, playing video games, or cuddling with his cat. Connect with him on Twitter

Reader Interactions