Bulletin ID
Last updated on
16 May 2021
|
Also applies to Digital Editions
Security Updates Available for Magento | APSB20-59
|
|
Date Published |
Priority |
|---|---|---|
|
ASPB20-59 |
October 15th, 2020 |
2 |
Summary
Affected Versions
|
Product |
Version |
Platform |
|---|---|---|
|
Magento Commerce |
2.3.5-p1 and earlier versions |
All |
|
Magento Commerce |
2.3.5-p2 and earlier versions |
All |
|
Magento Commerce |
2.4.0 and earlier versions |
All |
|
Magento Open Source |
2.3.5-p1 and earlier versions |
All |
|
Magento Open Source |
2.3.5-p2 and earlier versions |
All |
|
Magento Open Source |
2.4.0 and earlier versions |
All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
|
Product |
Updated Version |
Platform |
Priority Rating |
Release Notes |
|---|---|---|---|---|
|
Magento Commerce |
2.4.1 |
All |
2 |
|
|
Magento Open Source |
2.4.1 |
All |
2 |
|
|
|
|
|
|
|
|
Magento Commerce |
2.3.6 |
All |
2 |
|
|
Magento Open Source |
2.3.6 |
All |
2 |
Vulnerability details
|
Vulnerability Category |
Vulnerability Impact |
Severity |
Admin privileges required? |
Magento Bug ID |
CVE numbers |
|
|---|---|---|---|---|---|---|
|
File Upload Allow List Bypass |
Arbitrary code execution |
Critical |
No |
Yes |
PRODSECBUG-2799 |
CVE-2020-24407 |
|
SQL Injection |
Arbitrary read or write access to database |
Critical |
No |
Yes |
PRODSECBUG-2779 |
CVE-2020-24400 |
|
Improper Authorization |
Unauthorized modification of customer list |
Important |
No |
Yes |
PRODSECBUG-2789 |
CVE-2020-24402 |
|
Insufficient Invalidation of User Session |
Unauthorized access to restricted resources |
Important |
No |
Yes |
PRODSECBUG-2785 |
CVE-2020-24401 |
|
Improper Authorization |
Unauthorized modification of Magento CMS pages |
Important |
No |
Yes |
PRODSECBUG-2796 |
CVE-2020-24404 |
|
Sensitive Information Disclosure |
Disclosure of document root path |
Moderate |
No |
Yes |
PRODSECBUG-2798 |
CVE-2020-24406 |
|
Cross-site Scripting (Stored XSS) |
Arbitrary JavaScript execution in the browser |
Important |
Yes |
No |
PRODSECBUG-2804 |
CVE-2020-24408 |
|
Improper Authorization |
Unauthorized access to restricted resources |
Important |
No |
Yes |
PRODSECBUG-2797 |
CVE-2020-24405 |
|
Improper Authorization |
Unauthorized access to restricted resources |
Important |
No |
Yes |
PRODSECBUG-2791 |
CVE-2020-24403 |
Note:
Pre-authentication: The vulnerability is exploitable without credentials.
Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges.
Additional technical descriptions of the CVEs referenced in this document will be made available on MITRE and NVD sites.
Updates to dependencies
|
Dependency |
Vulnerability Impact |
Affected Versions |
|---|---|---|
|
jQuery File Upload |
Arbitrary code execution |
2.4.0 and earlier versions |
|
TinyMCE |
Arbitrary JavaScript execution |
2.4.0 and earlier versions |
Acknowledgments
Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:
- Edgar Boda-Majer of Bugscale (CVE-2020-24408)
- Kien Hoang (CVE-2020-24402, CVE-2020-24401, CVE-2020-24404, CVE-2020-24405)
- Ihorsv (CVE-2020-24406)
- Malerisch (CVE-2020-24407)
- Dang Toan (CVE-2020-24403)
- Yonatan Offek (CVE-2020-24400)
Adobe MAX
The Creativity Conference
Oct 14–16 Miami Beach and online
Adobe MAX
The Creativity Conference
Oct 14–16 Miami Beach and online