Bulletin ID
Last updated on
16 May 2021
|
Also applies to Digital Editions
Security Updates Available for Magento | APSB20-02
|
|
Date Published |
Priority |
|---|---|---|
|
APSB20-02 |
January 28, 2020 |
2 |
Summary
Magento has released updates for Magento Commerce and Open Source editions. These updates resolve critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution.
Affected Versions
|
Product |
Version |
Platform |
|---|---|---|
|
Magento Commerce |
2.3.3 and earlier versions |
All |
|
Magento Open Source |
2.3.3 and earlier versions |
All |
|
Magento Commerce |
2.2.10 and earlier versions |
All |
|
Magento Open Source |
2.2.10 and earlier versions |
All |
|
Magento Enterprise Edition |
1.14.4.3 and earlier versions |
All |
|
Magento Community Edition |
1.9.4.3 and earlier versions |
All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
|
Product |
Version |
Platform |
Priority Rating |
Availability |
|---|---|---|---|---|
|
Magento Commerce |
2.3.4 |
All |
2 |
|
|
Magento Open Source |
2.3.4 |
All |
2 |
|
|
Magento Commerce |
2.2.11 |
All |
2 |
|
|
Magento Open Source |
2.2.11 |
All |
2 |
|
|
Magento Enterprise Edition |
1.14.4.4 |
All |
2 |
|
|
Magento Community Edition |
1.9.4.4 |
All |
2 |
Vulnerability details
|
Vulnerability Category |
Vulnerability Impact |
Severity |
Magento Bug ID |
CVE Numbers |
|---|---|---|---|---|
|
Stored cross-site scripting |
Sensitive information disclosure |
Important |
PRODSECBUG-2543 |
CVE-2020-3715 |
|
Stored cross-site scripting |
Sensitive information disclosure |
Important |
PRODSECBUG-2599 |
CVE-2020-3758 |
|
Deserialization of untrusted data |
Arbitrary code execution |
Critical |
PRODSECBUG-2579 |
CVE-2020-3716 |
|
Path traversal |
Sensitive information disclosure |
Important |
PRODSECBUG-2632 |
CVE-2020-3717 |
|
Security bypass |
Arbitrary code execution |
Critical |
PRODSECBUG-2633 |
CVE-2020-3718 |
|
SQL injection |
Sensitive information disclosure |
Critical |
PRODSECBUG-2660 |
CVE-2020-3719 |
Acknowledgments
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:
· Ernesto Martin (CVE-2020-3715)
· Blaklis (CVE-2020-3716, CVE-2020-3717, CVE-2020-3718)
· Luke Rodgers (CVE-2020-3719)
· Djordje Marjanovic (CVE-2020-3758)