Security News > 2020 > January > Critical Flaws in Magento e-Commerce Platform Allow Code-Execution
Critical vulnerabilities in Adobe's Magento e-commerce platform - a favorite target of the Magecart cybergang - could lead to arbitrary code execution.
Out of the flaws, Adobe has fixed three that it rates as critical in severity, meaning that successful exploits could "Allow malicious native code to execute, potentially without a user being aware."
These include CVE-2020-3715 and CVE-2020-3758, stored cross-site scripting flaws that could allow sensitive information disclosure.
"Magecart is a simple bit of code that is sophisticatedly injected into websites to steal credit-card information and most of the time unknowing to the website organization," said James McQuiggan, security awareness advocate at KnowBe4, via email.
The versions impacted by the latest slew of bugs are Magento Commerce and Open Source, 2.2.10 and earlier versions and 2.3.3 and earlier versions; Magento Enterprise Edition 1.14.4.3 and earlier versions; and Magento Community Edition, 1.9.4.3 and earlier versions.
News URL
https://threatpost.com/critical-flaws-magento-ecommerce-code-execution/152343/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-01-29 | CVE-2020-3715 | Cross-site Scripting vulnerability in Magento Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. | 6.1 |
| 2020-01-29 | CVE-2020-3758 | Cross-site Scripting vulnerability in Magento Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. | 6.1 |