Magento today updated its e-commerce software for all supported platforms with fixes for multiple vulnerabilities. Some of them have critical severity and hackers could exploit them to run arbitrary code.

The security bugs affect Magento Commerce (2.3.3/2.2.10 and below), Open Source (2.3.3/2.2.10 and below), Enterprise Edition (1.14.4.3 and earlier), and Community Edition (1.9.4.3 and earlier). New releases are now available for each of them.

Half critical, half important

The updates address six vulnerabilities, half of them rated critical. The rest of them are marked as important.

Two of the critical bugs are a deserialization of untrusted data (CVE-2020-3716) and a security bypass (CVE-2020-3718), both leading to arbitrary code execution.

A third one, rated with the same critical severity, is an SQL injection (CVE-2020-3719) and could be exploited to leak sensitive information.

The severity of the other three vulnerabilities (two stored cross-site scripting and a path traversal) has been assessed as important. A hacker could leverage them to get obtain sensitive information that could serve to further the attack.

Magento 2.3.4 is available for download and admins are recommended to install it in the immediate period. The priority rating for this task is 2, which means that the risk of attacking this product is elevated but there are no known exploits at the moment.

Product Availability
Magento Commerce 2.3.4 Commerce
Magento Open Source 2.3.4 Open Source
Magento Commerce 2.2.11 Commerce
Magento Open Source 2.2.11 Open Source
Magento Enterprise Edition 1.14.4 EE
Magento Community Edition 1.9.4.4 CE

Magento stores are often hacked using known vulnerabilities to plant malicious JavaScript code that steals payment card data and sensitive customer information from loaded forms.

Known as MageCart because they initially targeted websites running the Magento platform, these attacks have grown rampant lately. There are multiple cybercriminals groups engaged in this activity that has already hit hundreds of thousands of stores.

Recently, with help from Interpol and cybersecurity company Group-IB, the Indonesian police arrested three individuals under suspicion of running MageCart attacks.

Starting this release, Magento bugs will be documented by Adobe, who completed the acquisition of the e-commerce platform in mid-2018.

The current Magento update addresses more than just security vulnerabilities. It also brings page builder enhancements, integration with Adobe Stock, compatibility with PWA Studio-based storefronts, along with other updates across the entire platform. A full blog post with the changes is available on the Magento website.

Related Articles:

Patching the Citrix ADC Bug Doesn't Mean You Weren't Hacked