Adobe releases Magento Updates
Adobe released security updates to fix critical vulnerabilities in its Magento e-commerce platform, the exploitation of which can lead to arbitrary code execution along with taking control of an exposed system.
Magento empowers retailers and brands with excellent e-commerce platforms and flexible cloud solutions to innovate and grow in this rapidly evolving era. It was acquired by Adobe in May 2018. Magento accounts for 12% of all online stores, which means that 250,000 ecommerce sites are powered by this platform.
The identified 26 issues are likely to impact the 2.3.7, 2.4.2-p1, 2.4.2, and previous versions of Magento Commerce, and 2.3.7, 2.4.2-p1, and all earlier versions of Magento Open Source edition. 20 of these are rated critical, and 6 of them are rated Important in severity. None of the discovered vulnerabilities are listed as publicly known or under active attack.
Must read: Urgent updates issued for Pulse Secure VPNs
The most critical bugs are listed as under
- CVE-2021-36021, CVE-2021-36024, CVE-2021-36025, CVE-2021-36034, CVE-2021-36035, CVE-2021-36040, CVE-2021-36041, and CVE-2021-36042 (CVSS score: 9.1) – Arbitrary code execution due to improper input validation
- CVE-2021-36022 and CVE-2021-36023 (CVSS score: 9.1) – Arbitrary code execution due to OS command injection
- CVE-2021-36028 and CVE-2021-36033 (CVSS score: 9.1) – Arbitrary code execution due to XML injection
- CVE-2021-36036 (CVSS score: 9.1) – Arbitrary code execution due to improper access control
- CVE-2021-36029 (CVSS score: 9.1) – Security feature bypass
- CVE-2021-36032 (CVSS score: 8.3) – Privilege escalation
- CVE-2021-36020 (CVSS score: 8.2) – Arbitrary code execution due to XML injection
- CVE-2021-36043 (CVSS score: 8.0) – Arbitrary code execution due to server-side request forgery (SSRF)
- CVE-2021-36044 (CVSS score: 7.5) – Application denial-of-service
- CVE-2021-36030 (CVSS score: 7.5) – Security feature bypass
- CVE-2021-36031 (CVSS score: 7.2) – Arbitrary code execution due to path traversal
An adversary can exploit the above-mentioned bugs for privilege escalation and to run infected code, allowing them to grasp control of a Magento site and server. So as a remedial measure, users are required to take immediate steps and download the patches for these vulnerabilities to minimize the risks associated with them.