Two critical flaws in Magento – Adobe’s e-commerce platform that is commonly targeted by attackers like the Magecart threat group – could enable arbitrary code execution on affected systems. Retail is set to boom in the coming months – between this week’s Amazon Prime Day and November’s Black Friday – which puts pressure on Adobe to rapidly patch up any holes in the popular Magento open-source platform, which powers many online shops. The company on Thursday disclosed two critical flaws, six important-rated errors and one moderate-severity vulnerability plaguing both Magento Commerce (which is aimed at enterprises that need premium support levels, and has a license fee starting at $24,000 annually) and Magento Open Source (its free alternative). The most severe of these include a vulnerability that allows for arbitrary code execution. The issue stems from the application not validating full filenames when using an “allow list” method to check the file extensions. This could enable an attacker to bypass the validation and upload a malicious file. In order to exploit this flaw (CVE-2020-24407), attackers would not need pre-authentication (meaning the flaw is exploitable without credentials) – however, they would need administrative privileges. The other critical flaw is an SQL injection vulnerability. This is a type of web security flaw that allows an attacker to interfere with the queries that an application makes to its database. An attacker without authentication – but…
0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2020-10-15 16:59:002020-10-15 16:59:00Critical Magento Holes Open Online Shops to Code Execution
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org