Adobe Security Bulletin

Security Updates Available for Magento | APSB20-59

Bulletin ID

Date Published

Priority

ASPB20-59

October 15th, 2020      

2

Summary

Magento has released updates for Magento Commerce and Magento Open Source. These updates resolve vulnerabilities  rated important and critical. Successful exploitation could lead to arbitrary code execution.    

Affected Versions

Product

Version

Platform

Magento Commerce 

2.3.5-p1 and earlier versions  

All

Magento Commerce 

2.3.5-p2 and earlier versions  

All

Magento Commerce 

2.4.0 and earlier versions 

All

Magento Open Source 

2.3.5-p1 and earlier versions

All

Magento Open Source 

2.3.5-p2 and earlier versions

All

Magento Open Source 

2.4.0 and earlier versions 

All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Updated Version

Platform

Priority Rating

Release Notes

Magento Commerce 

2.4.1

All

2

Magento Open Source 

2.4.1

All

2

 

 

 

 

 

Magento Commerce 

2.3.6

All

2

Magento Open Source 

2.3.6

All

2

Vulnerability details

Vulnerability Category

Vulnerability Impact

Severity

Pre-authentication?

Admin privileges required?

Magento Bug ID

CVE numbers

File Upload Allow List Bypass

Arbitrary code execution 

Critical 

No

Yes

PRODSECBUG-2799

CVE-2020-24407

SQL Injection

Arbitrary read or write access to database

Critical 

No

Yes

PRODSECBUG-2779

CVE-2020-24400

Improper Authorization

Unauthorized modification of customer list

Important

No

Yes

PRODSECBUG-2789

CVE-2020-24402

Insufficient Invalidation of User Session

Unauthorized access to restricted resources

Important

No

Yes

PRODSECBUG-2785

CVE-2020-24401

Improper Authorization

Unauthorized modification of Magento CMS pages

Important

No

Yes

PRODSECBUG-2796

CVE-2020-24404

Sensitive Information Disclosure

Disclosure of document root path

Moderate

No

Yes

PRODSECBUG-2798

CVE-2020-24406

Cross-site Scripting (Stored XSS)

Arbitrary JavaScript execution in the browser

Important

Yes

No

PRODSECBUG-2804

CVE-2020-24408

Improper Authorization

Unauthorized access to restricted resources

Important

No

Yes

PRODSECBUG-2797

CVE-2020-24405

Improper Authorization

Unauthorized access to restricted resources

Important

No

Yes

PRODSECBUG-2791

CVE-2020-24403

Note:

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Additional technical descriptions of the CVEs referenced in this document will be made available on MITRE and NVD sites.

Updates to dependencies

Dependency

Vulnerability Impact

Affected Versions

jQuery File Upload

Arbitrary code execution 

2.4.0 and earlier versions 

TinyMCE

Arbitrary JavaScript execution

2.4.0 and earlier versions 

Acknowledgments

Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:   

  • Edgar Boda-Majer of Bugscale (CVE-2020-24408) 
  • Kien Hoang (CVE-2020-24402, CVE-2020-24401, CVE-2020-24404, CVE-2020-24405)
  • Ihorsv (CVE-2020-24406) 
  • Malerisch (CVE-2020-24407)
  • Dang Toan (CVE-2020-24403)
  • Yonatan Offek (CVE-2020-24400)

 Adobe

Get help faster and easier

New user?