Adobe Security Bulletin

Search

Security Updates Available for Magento | APSB20-02

Bulletin ID

Date Published

Priority

APSB20-02

 January 28, 2020

2

Summary

Magento has released updates for Magento Commerce and Open Source editions.  These updates resolve critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution.    

Affected Versions

Product

Version

Platform

Magento Commerce 

2.3.3 and earlier versions    

All

Magento Open Source   

2.3.3 and earlier versions    

All

Magento Commerce 

2.2.10 and earlier versions    

All

Magento Open Source  

2.2.10 and earlier versions    

All

Magento Enterprise Edition    

1.14.4.3 and earlier versions    

All

Magento Community Edition   

1.9.4.3 and earlier versions    

All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Version

Platform

Priority Rating

Availability

Magento Commerce    

2.3.4

All

2

2.3.4 Commerce

Magento Open Source    

2.3.4

All

2

2.3.4 Open Source

Magento Commerce    

2.2.11

All

2

2.2.11 Commerce

Magento Open Source    

2.2.11

All

2

2.2.11 Open Source

Magento Enterprise Edition    

1.14.4.4

All

2

1.14.4 EE

Magento Community Edition    

1.9.4.4

All

2

1.9.4.4 CE

Vulnerability details

Vulnerability Category

Vulnerability Impact

Severity

Magento Bug ID    

CVE Numbers

Stored cross-site scripting    

Sensitive information disclosure    

Important

PRODSECBUG-2543    

CVE-2020-3715    

Stored cross-site scripting    

Sensitive information disclosure    

Important    

PRODSECBUG-2599

CVE-2020-3758

Deserialization of untrusted data    

Arbitrary code execution    

Critical    

PRODSECBUG-2579

CVE-2020-3716

Path traversal    

Sensitive information disclosure    

Important    

PRODSECBUG-2632

CVE-2020-3717

Security bypass    

Arbitrary code execution    

Critical    

PRODSECBUG-2633

CVE-2020-3718

SQL injection    

Sensitive information disclosure    

Critical    

PRODSECBUG-2660

CVE-2020-3719

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:   

·       Ernesto Martin (CVE-2020-3715)

·       Blaklis (CVE-2020-3716, CVE-2020-3717, CVE-2020-3718)

·       Luke Rodgers (CVE-2020-3719)

·       Djordje Marjanovic (CVE-2020-3758)

 Adobe

Get help faster and easier

New user?

Quick links

View all your plans Manage your plans
View quick links
Hide quick links
Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Register Now

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Register Now
Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Register Now

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Register Now