Adobe Security Bulletin

Security update available for Adobe Commerce | APSB24-18

Bulletin ID	Date Published	Priority
APSB24-18	April 9, 2024	3

Summary

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical vulnerabilities.  Successful exploitation could lead to arbitrary code execution.

Affected Versions

Product	Version	Platform
Adobe Commerce	2.4.7-beta3 and earlier 2.4.6-p4 and earlier 2.4.5-p6 and earlier 2.4.4-p7 and earlier 2.4.3-ext-6 and earlier* 2.4.2-ext-6 and earlier*	All
Magento Open Source	2.4.7-beta3 and earlier 2.4.6-p4 and earlier 2.4.5-p6 and earlier 2.4.4-p7 and earlier	All

Note: For clarity, the affected versions listed are now listed for each supported release line instead of only the most recent versions.

* These versions are only applicable to customers participating in the Extended Support Program

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product	Updated Version	Platform	Priority Rating	Installation Instructions
Adobe Commerce	2.4.7 for 2.4.7-beta3 and earlier 2.4.6-p5 for 2.4.6-p4 and earlier 2.4.5-p7 for 2.4.5-p6 and earlier 2.4.4-p8 for 2.4.4-p7 and earlier 2.4.3-ext-7 for 2.4.3-ext-6 and earlier* 2.4.2-ext-7 for 2.4.2-ext-6 and earlier*	All	3	2.4.x release notes
Magento Open Source	2.4.7 for 2.4.7-beta3 and earlier 2.4.6-p5 for 2.4.6-p4 and earlier 2.4.5-p7 for 2.4.5-p6 and earlier 2.4.4-p8 for 2.4.4-p7 and earlier	All	3	2.4.x release notes
*Note: These versions are only applicable to customers participating in the** Extended Support Program

Vulnerability Details

Vulnerability Category	Vulnerability Impact	Severity	Authentication required to exploit?	Exploit requires admin privileges?	CVSS base score	CVSS vector	CVE number(s)
Improper Input Validation (CWE-20)	Arbitrary code execution	Critical	No	No	9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H	CVE-2024-20758
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Critical	Yes	Yes	8.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N	CVE-2024-20759

Note:

Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.

Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.

Acknowledgements

Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:

Blaklis - CVE-2024-20758
truff - CVE-2024-20759

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

Revisions

June 26, 2024 - Removed inapplicable end-of-life extended support versions from Affected and Solution versions tables

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.