Bulletin ID
Last updated on
May 16, 2021
|
Also applies to Digital Editions
Security Updates Available for Magento | APSB20-47
|
|
Date Published |
Priority |
|---|---|---|
|
ASPB20-47 |
July 28th, 2020 |
2 |
Summary
Magento has released updates for Magento Commerce 2 (formerly known as Magento Enterprise Edition) and Magento Open Source 2 (formerly known as Magento Community Edition). These updates resolve vulnerabilities rated Important and Critical . Successful exploitation could lead to arbitrary code execution and signature verification bypass.
Affected Versions
|
Product |
Version |
Platform |
|---|---|---|
|
Magento Commerce 2 |
2.3.5-p1 and earlier versions |
All |
|
Magento Open Source 2 |
2.3.5-p1 and earlier versions |
All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
|
Product |
Updated Version |
Platform |
Priority Rating |
Release Notes |
|---|---|---|---|---|
|
Magento Commerce 2 |
2.4.0 |
All |
2 |
|
|
Magento Open Source 2 |
2.4.0 |
All |
2 |
|
|
|
|
|
|
|
|
Magento Commerce 2 |
2.3.5-p2 |
All |
2 |
N/A |
|
Magento Open Source 2 |
2.3.5-p2 |
All |
2 |
N/A |
Vulnerability details
|
Vulnerability Category |
Vulnerability Impact |
Severity |
Admin privileges required? |
Magento Bug ID |
CVE numbers |
|
|---|---|---|---|---|---|---|
|
Path Traversal |
Arbitrary code execution |
Critical |
No |
Yes |
PRODSECBUG-2716 |
CVE-2020-9689 |
|
Observable Timing Discrepancy |
Signature verification bypass |
Important |
No |
Yes |
PRODSECBUG-2726 |
CVE-2020-9690 |
|
DOM-based Cross-Site Scripting |
Arbitrary code execution |
Important |
Yes |
No |
PRODSECBUG-2533 |
CVE-2020-9691 |
|
Security Mitigation bypass |
Arbitrary code execution |
Critical |
No |
Yes |
PRODSECBUG-2769 |
CVE-2020-9692 |
Note:
Pre-authentication: The vulnerability is exploitable without credentials.
Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges.
Acknowledgments
Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:
- Edgar Boda-Majer of Bugscale and Blaklis (CVE-2020-9689)
- Wasin Sae-ngow (CVE-2020-9690)
- Linus Särud (CVE-2020-9691)
- Edgar Boda-Majer of Bugscale (CVE-2020-9692)
Revisions
Adobe MAX
The Creativity Conference
Oct 14–16 Miami Beach and online
Adobe MAX
The Creativity Conference
Oct 14–16 Miami Beach and online