Critical Security Update for Magento Open Source & Adobe Commerce

Critical Security Update for Magento Open Source & Adobe Commerce

Last week on August 8th, 2023, Adobe released a critical security patch for Adobe Commerce and the Magento Open Source CMS. The patch provides fixes for three zero-day vulnerabilities which affect the popular ecommerce platforms. Successful exploitation could lead to arbitrary code execution, privilege escalation and arbitrary file system read.

Affected versions of Magento Open Source are as follows:

  • 2.4.6-p1 and earlier
  • 2.4.5-p3 and earlier
  • 2.4.4-p4 and earlier

Website administrators are advised to update their software immediately to mitigate risk to their Magento and Adobe Commerce environments.

Vulnerability details

OS Command Injection

Security Risk: Critical
Base Score: 9.1
Exploitation Level: Requires Admin authentication.
Vulnerability: Arbitrary Code Execution
CVE: CVE-2023-38208

Originally reported to Adobe by researcher Blaklis, CVE-2023-38208 is the most severe vulnerability fixed in this latest update. If left unpatched, it can lead to arbitrary code execution by an authenticated Admin user, potentially allowing a bad actor to execute commands in the targeted environment.

It’s not uncommon for attackers to create malicious administrator accounts within compromised Magento environments. If an attacker is already able to authenticate into an admin account then the environment is already compromised, but this vulnerability would allow attackers even more leeway and control over the environment.


Improper Access Control

Security Risk: Medium
Base score: 6.5
Exploitation Level: Requires low-level authentication.
Vulnerability: Privilege Escalation
CVE: CVE-2023-38209

Originally reported to Adobe by researcher wohlie, CVE-2023-38209 is a medium level vulnerability that occurs due to improper access restrictions for unauthorized users. If left unpatched, it can allow low-privilege users to access other user’s data within the Magento environment.


XML Injection / Blind XPath Injection

Security Risk: Medium
Base score: 5.3
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File System Read
CVE: CVE-2023-38207

Originally reported to Adobe by researcher wohlie, CVE-2023-38207 is a medium level vulnerability that occurs because special elements used in XML are not properly neutralized. If left unpatched, it can lead to minor arbitrary file system read in the Magento environment.


Mitigation steps

All three of these vulnerabilities could result in exploitation by attackers if left unpatched. Updating Adobe Commerce and Magento Open Source to the latest security release will help fix these security flaws and mitigate risk to your Magento environment.

Magento users should update their software to the following versions:

  • Magento Open Source 2.4.6-p2 for versions 2.4.6 and earlier
  • Magento Open Source 2.4.5-p4 for versions 2.4.5-p3 and earlier
  • Magento Open Source 2.4.4-p5 for versions 2.4.4-p3 and earlier

If you believe your Magento environment has already been compromised or infected with malware, we can help. Reach out to our team to chat with our remediation specialists.

You May Also Like