Security News > 2020 > January > Magento 2.3.4 Patches Critical Code Execution Vulnerabilities
Magento 2.3.4 was released this week with patches for six vulnerabilities, including three that are considered critical.
Another critical flaw that could allow for the execution of arbitrary code is CVE-2020-3718, which Adobe describes as a security bypass issue.
All of the remaining three vulnerabilities patched in Magento 2.3.4 are considered important and all three could result in the disclosure of sensitive information.
These vulnerabilities were found to impact both Magento Commerce and Magento Open Source, versions 2.3.3 and earlier and 2.2.10 and earlier, as well as Magento Enterprise Edition 1.14.4.3 and earlier, and Magento Community Edition 1.9.4.3 and earlier.
In an attempt to reduce attack surface and prevent remote code execution attacks, the new Magento version converts the Custom Layout Update field on the CMS Page Edit, Category Edit, and Product Edit pages to a selector.
News URL
Related news
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- OvrC Platform Vulnerabilities Expose IoT Devices to Remote Attacks and Code Execution (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical vulnerabilities persist in high-risk sectors (source)
- Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities (source)
- CISA Adds Critical Flaw in BeyondTrust Software to Exploited Vulnerabilities List (source)
- Sophos Firewall vulnerable to critical remote code execution flaw (source)
- Sophos discloses critical Firewall remote code execution flaw (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-01-29 | CVE-2020-3718 | Unspecified vulnerability in Magento Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a security bypass vulnerability. | 9.8 |