Adobe-owned Magento has plugged multiple critical vulnerabilities in its eponymous content management system, the most severe of which could be exploited by attackers to achieve arbitrary code execution.
About the fixed vulnerabilities
According to the newest Magento-themed security bulletin (now published as an Adobe security bulletin), three of the six fixed flaws are critical and three are important.
In the “critical” category are a deserialization of untrusted data (CVE-2020-3716) and a security bypass (CVE-2020-3718) that could lead to arbitrary code execution, and an SQL injection (CVE-2020-3719) that could be exploited to leak sensitive information.
In the “important” category are two stored cross-site scripting flaws (CVE-2020-3715, CVE-2020-3758) and a path traversal (CVE-2020-3717) vulnerability, all of which could lead to sensitive information disclosure.
All of these have been patched in:
- Magento Commerce versions 2.3.4 and 2.2.11
- Magento Open Source versions 2.3.4 and 2.2.11
- Magento Enterprise Edition (EE) version 126.96.36.199
- Magento Community Edition (CE) version 188.8.131.52
At the moment, there is no indication that any of these might be actively exploited by attackers. Nevertheless, users/admins are advised to update their installations as soon as possible.
Magento shops are a major target
Magento is one of the most popular open-source e-commerce platforms out there, but web stores running it have unfortunately become a prime – though not exclusive – target for card-skimming cybercriminals (aka Magecart attackers).
Vulnerabilities in the Magento core are just one vector through which attackers can gain access to online shops to insert card-skimming code into them. Other avenues of attack include bugs in popular extensions and plug-ins, phishing emails lobbed at site admins, and compromise of third parties that serve scripts on the target site(s).