Critical Vulnerabilities in Magento Commerce Software

Published on 30 Jan 2020

Updated on 30 Jan 2020

Background

 

Magento has released security updates to address several vulnerabilities affecting the Magento Commerce software, out of which three vulnerabilities are rated critical:

  • PRODSECBUG-2579: Deserialisation of untrusted data - CVE-2020-3716: The vulnerability exists due to insecure input validation when processing serialised data which could lead to arbitrary code execution on the affected system.
  • PRODSECBUG-2633: Security Bypass - CVE-2020-3718: The vulnerability exists due to unspecified error relating to security restrictions which will allow a remote attacker to bypass security restrictions and execute arbitrary code on the affected server.
  • PRODSECBUG-2660: SQL Injection - CVE-2020-3719: The vulnerability exists due to insufficient sanitisation of user-supplied data which could allow a remote attacker to exploit this vulnerability by sending a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

For the full list of security updates released by Magento, please refer to the References section below.

 

Affected Products

 

The security patches are available for the following supported versions:

  • Magento Commerce 2.3.3/2.2.10 and earlier
  • Magento Open Source 2.3.3/2.2.10 and earlier
  • Magento Enterprise Edition 1.14.4.3 and earlier
  • Magento Community Edition 1.9.4.3 and earlier

 

Impact

 

Successful exploitation of these vulnerabilities could allow an attacker to take control of the affected system and perform malicious activities, including the ability to modify and install programs; view, change, or delete data; or create new accounts with full user access rights.

 

Recommendations

 

Magento administrators are advised to update to the latest version immediately.

 

References