Adobe has recently released several critical security patches for both their open source and commercial versions of their ecommerce platform. There are a total of 18 security vulnerabilities patched according to Adobe, although they list only 16 specific issues in the patch notes. Eleven of these issues are considered critical and five considered important, ranked by CWE standards. Ten of these vulnerabilities do not require any authentication whatsoever in order to be exploited, whereas the remaining six do require an admin account.
It is very common for attackers to leave malicious admin accounts in compromised websites so as to maintain access. If you’ve ever experienced a website compromise be sure to check your admin accounts for any suspicious activity.
The patched version is 2.4.3. It contains a number of additional quality and functionality fixes, however standalone security-only patches are also available for those who would prefer to stay in their old version. Website owners should patch their websites as soon as possible.
Vulnerability Details
The sixteen vulnerabilities patched in the most recent update cover the following issues:
- Business Logic Error, which could allow for security feature bypass.
- Stored Cross-site Scripting, which could allow for arbitrary code execution.
- Improper Access Control, which could allow for arbitrary code execution.
- Improper Authorization, which could allow for security feature bypass.
- Improper Input Validation, which could allow for application denial of service, privilege escalation, security feature bypass and arbitrary code execution.
- Path Traversal, which could allow for arbitrary code execution.
- OS Command Injection, which could allow for arbitrary code execution.
- Incorrect Authorization, which could allow for arbitrary file system read.
- Server-Side Request Forgery, which could allow for arbitrary code execution.
- XML Injection, which could allow for arbitrary code execution.
One important point to note about these vulnerabilities is that some of them require no kind of authentication at all which makes them extremely dangerous and that is one of the reasons most are classified as critical.
It is unclear whether or not Magento1 installations are affected, but Magento2 certainly are. All CVE records associated with the vulnerabilities are currently marked as Reserved and details on exactly what the vulnerabilities are and how they are exploited are not yet publicly available.
As details emerge in the coming weeks regarding how these vulnerabilities are executed we will be working with our research teams to ensure the best possible protection for users of our website firewall.