Bulletin ID
Last updated on
16 May 2021
|
Also applies to Digital Editions
Security Updates Available for Magento | APSB20-41
|
|
Date Published |
Priority |
|---|---|---|
|
ASPB20-41 |
June 22, 2020 |
2 |
Summary
Magento has released updates for Magento Commerce 1 and Magento Open Source 1. These updates resolve vulnerabilities rated Important and Critical . Successful exploitation could lead to arbitrary code execution.
Support for Magento Commerce 1.14 and Magento Open Source 1 is ending in June 2020. This will be the final security patches available for these editions.
Note:
Magento Commerce 1 is formerly known as Magento Enterprise Edition, and Magento Open Source 1 is formerly known as Magento Community Edition.
Affected Versions
|
Product |
Version |
Platform |
|---|---|---|
|
Magento Commerce 1 |
1.14.4.5 and earlier versions |
All |
|
Magento Open Source 1 |
1.9.4.5 and earlier versions |
All |
Note:
These vulnerabilities do not impact Magento Commerce or Magento Open Source.
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
|
Product |
Version |
Platform |
Priority Rating |
Availability |
|---|---|---|---|---|
|
Magento Commerce 1 |
SUPEE-11346 |
All |
2 |
My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security |
|
Magento Open Source 1 |
SUPEE-11346 |
All |
2 |
Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section |
Vulnerability details
|
Vulnerability Category |
Vulnerability Impact |
Severity |
Admin privileges required? |
Magento Bug ID |
CVE numbers |
|
|---|---|---|---|---|---|---|
|
PHP Object Injection |
Arbitrary code execution |
Critical |
No |
Yes |
PRODSECBUG-2758 |
CVE-2020-9664 |
|
Stored cross-site scripting |
Sensitive information disclosure |
Important |
No |
Yes |
PRODSECBUG-2759 |
CVE-2020-9665 |
Note:
Pre-authentication: The vulnerability is exploitable without credentials.
Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges.
Acknowledgments
Adobe would like to thank Luke Rodgers for reporting these issues and for working with Adobe to help protect our customers.