• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Vulnerability in Magento

Adobe Patches Critical Magento Vulnerabilities in Recent Update

August 13, 2021Ben Martin

FacebookTwitterSubscribe

Adobe has recently released several critical security patches for both their open source and commercial versions of their ecommerce platform. There are a total of 18 security vulnerabilities patched according to Adobe, although they list only 16 specific issues in the patch notes. Eleven of these issues are considered critical and five considered important, ranked by CWE standards. Ten of these vulnerabilities do not require any authentication whatsoever in order to be exploited, whereas the remaining six do require an admin account.

It is very common for attackers to leave malicious admin accounts in compromised websites so as to maintain access. If you’ve ever experienced a website compromise be sure to check your admin accounts for any suspicious activity.

The patched version is 2.4.3. It contains a number of additional quality and functionality fixes, however standalone security-only patches are also available for those who would prefer to stay in their old version. Website owners should patch their websites as soon as possible.

Vulnerability Details

The sixteen vulnerabilities patched in the most recent update cover the following issues:

  • Business Logic Error, which could allow for security feature bypass.
  • Stored Cross-site Scripting, which could allow for arbitrary code execution.
  • Improper Access Control, which could allow for arbitrary code execution.
  • Improper Authorization, which could allow for security feature bypass.
  • Improper Input Validation, which could allow for application denial of service, privilege escalation, security feature bypass and arbitrary code execution.
  • Path Traversal, which could allow for arbitrary code execution.
  • OS Command Injection, which could allow for arbitrary code execution.
  • Incorrect Authorization, which could allow for arbitrary file system read.
  • Server-Side Request Forgery, which could allow for arbitrary code execution.
  • XML Injection, which could allow for arbitrary code execution.

One important point to note about these vulnerabilities is that some of them require no kind of authentication at all which makes them extremely dangerous and that is one of the reasons most are classified as critical.

It is unclear whether or not Magento1 installations are affected, but Magento2 certainly are. All CVE records associated with the vulnerabilities are currently marked as Reserved and details on exactly what the vulnerabilities are and how they are exploited are not yet publicly available.

As details emerge in the coming weeks regarding how these vulnerabilities are executed we will be working with our research teams to ensure the best possible protection for users of our website firewall.

FacebookTwitterSubscribe

Categories: Magento Security, Security Advisory, Vulnerability Disclosure, Website Security

About Ben Martin

Ben Martin is a security analyst and researcher who joined the company in 2013. Ben's main responsibilities include finding new undetected malware, identifying trends in the website security world, and, of course, cleaning websites. His professional experience covers more than eight years of working with infected websites, writing blog posts, and taking escalated tickets. When Ben isn't slaying malware, you might find him editing audio, producing music, playing video games, or cuddling with his cat. Connect with him on Twitter

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.