Adobe fixes security holes in Magento, most of which are critical
Adobe has released security updates to address vulnerabilities in Magento and Adobe Connect.
Magento August 2021 security updates
Magento is a popular open-source e-commerce platform. Websites underpinned by Magento are infamously targeted by the (collectively named) Magecart cyber criminal groups, compromised and equipped with payment card skimmers.
Adobe has released updates for Magento Commerce and Magento Open Source editions, fixing 26 CVE-numbered vulnerabilities, most of which are critical.
Among these are a number of bugs that are exploitable without credentials and may allow for arbitrary code execution – though all of them are exploitable only if an attacker has administrative privileges. The latter condition can be achieved through another of the vulnerabilities fixed in this batch: CVE-2021-36032, which allows for privilege escalation.
None of the fixed vulnerabilities are actively exploited by attackers, but since Magento is a popular target, administrators are advised to install the update soon.
The Adobe Connect updates
Adobe Connect is a software suite for web conferencing, delivering presentations and remote trainings, and desktop sharing.
This latest security update fixes three vulnerabilities, all deemed “important”:
- An unspecified violation of secure design principles that could allow attackers to bypass a security feature
- Two reflected XSS bugs that could lead to arbitrary code execution
None of these are being exploited in the wild. Since Adobe Connect has not historically been a target for attackers, these updates can wait until more critical ones are implemented.