Security News > 2020 > January > Critical Flaws in Magento e-Commerce Platform Allow Code-Execution

Critical Flaws in Magento e-Commerce Platform Allow Code-Execution
2020-01-29 15:27

Critical vulnerabilities in Adobe's Magento e-commerce platform - a favorite target of the Magecart cybergang - could lead to arbitrary code execution.

Out of the flaws, Adobe has fixed three that it rates as critical in severity, meaning that successful exploits could "Allow malicious native code to execute, potentially without a user being aware."

These include CVE-2020-3715 and CVE-2020-3758, stored cross-site scripting flaws that could allow sensitive information disclosure.

"Magecart is a simple bit of code that is sophisticatedly injected into websites to steal credit-card information and most of the time unknowing to the website organization," said James McQuiggan, security awareness advocate at KnowBe4, via email.

The versions impacted by the latest slew of bugs are Magento Commerce and Open Source, 2.2.10 and earlier versions and 2.3.3 and earlier versions; Magento Enterprise Edition 1.14.4.3 and earlier versions; and Magento Community Edition, 1.9.4.3 and earlier versions.


News URL

https://threatpost.com/critical-flaws-magento-ecommerce-code-execution/152343/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-01-29 CVE-2020-3715 Cross-site Scripting vulnerability in Magento
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability.
network
low complexity
magento CWE-79
6.1
2020-01-29 CVE-2020-3758 Cross-site Scripting vulnerability in Magento
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability.
network
low complexity
magento CWE-79
6.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Magento 3 4 106 68 28 206