Adobe patches Magento bugs that lead to code execution, customer list tampering

The out-of-band security update tackles eight critical and important vulnerabilities.
Written by Charlie Osborne, Contributing Writer

Adobe has released a set of out-of-band security fixes to resolve serious issues in the Magento platform. 

Published on October 15, the security advisory is outside of the firm's typical monthly patch cycle and resolves nine vulnerabilities, eight of which are considered either critical or important, as well as one moderate-severity flaw. 

The vulnerabilities impact Magento Commerce and Magento Open Source, versions 2.3.5-p1, 2.4.0, and earlier.

See also: Adobe Experience Manager, InDesign, Framemaker receive fixes for critical bugs in new update

Adobe Magento's critical vulnerabilities, now resolved, are tracked as CVE-2020-24407 and CVE-2020-24400. The file upload allow list bypass and SQL injection bug can lead to the execution of arbitrary code or arbitrary read/write database access. However, neither security flaw is pre-auth and both require an attacker to have already obtained admin privileges. 

In addition, the software giant has tackled a vulnerability that allows attackers to manipulate and modify customer lists, CVE-2020-24402. 

A stored cross-site scripting (XSS) issue (CVE-2020-24408), a user session invalidation bug (CVE-2020-24401), a security flaw that allows Magento CMS pages to be modified without permission (CVE-2020-24404), and two restricted resource access bugs -- CVE-2020-24405 and CVE-2020-24403 -- have also been resolved. 

CNET: Your phone may help you fight off deepfakes before they're even made

The least dangerous bug, CVE-2020-24406, is the unintended disclosure of a document root path that could lead to sensitive information disclosure. 

In Adobe's standard monthly security update, the company patched a single, critical vulnerability in Flash for Windows, macOS, Linux, and Chrome OS. The vulnerability, CVE-2020-9746, is a null pointer dereference flaw that could be exploited to cause software crashes or arbitrary code execution. 

TechRepublic: Survey: 53% of young cybersecurity professionals fear replacement by automation

Microsoft, too, releases security fixes for its software every four weeks. In October, 87 security issues were resolved, including 21 remote code execution vulnerabilities impacting products including Excel, Outlook, and the Windows TCP/IP stack. 

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards