Magento Update Released to Fix Critical Flaws Affecting E-Commerce Sites

News

Adobe on Tuesday shipped security updates to remediate multiple critical vulnerabilities in its Magento e-commerce platform that could be abused by an attacker to execute arbitrary code and take control of a vulnerable system.

The issues affect 2.3.7, 2.4.2-p1, 2.4.2, and earlier versions of Magento Commerce, and 2.3.7, 2.4.2-p1, and all prior versions of Magento Open Source edition. Of the 26 flaws addressed, 20 are rated critical, and six are rated Important in severity. None of the vulnerabilities fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Stack Overflow Teams

The most concerning of the bugs are as follows –

  • CVE-2021-36021, CVE-2021-36024, CVE-2021-36025, CVE-2021-36034, CVE-2021-36035, CVE-2021-36040, CVE-2021-36041, and CVE-2021-36042 (CVSS score: 9.1) – Arbitrary code execution due to improper input validation
  • CVE-2021-36022 and CVE-2021-36023 (CVSS score: 9.1) – Arbitrary code execution due to OS command injection
  • CVE-2021-36028 and CVE-2021-36033 (CVSS score: 9.1) – Arbitrary code execution due to XML injection
  • CVE-2021-36036 (CVSS score: 9.1) – Arbitrary code execution due to improper access control
  • CVE-2021-36029 (CVSS score: 9.1) – Security feature bypass
  • CVE-2021-36032 (CVSS score: 8.3) – Privilege escalation
  • CVE-2021-36020 (CVSS score: 8.2) – Arbitrary code execution due to XML injection
  • CVE-2021-36043 (CVSS score: 8.0) – Arbitrary code execution due to server-side request forgery (SSRF)
  • CVE-2021-36044 (CVSS score: 7.5) – Application denial-of-service
  • CVE-2021-36030 (CVSS score: 7.5) – Security feature bypass
  • CVE-2021-36031 (CVSS score: 7.2) – Arbitrary code execution due to path traversal

Successful exploitation of the aforementioned pre-authentication vulnerabilities could be abused by an adversary to escalate privileges and run malicious code, thus enabling the threat actor to seize control of a Magento site and its server.

Users are highly advised to move quickly to download the appropriate patches and install them to mitigate the risks associated with the flaws.

Products You May Like

Articles You May Like

Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials
Bitfinex Hacker Jailed for Five Years Over Billion Dollar Crypto Heist
The Problem of Permissions and Non-Human Identities – Why Remediating Credentials Takes Longer Than You Think
Fake Donald Trump Assassination Story Used in Phishing Scam
Palo Alto Networks Patches Critical Firewall Vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *