Security News > 2020 > January > Magento 2.3.4 Patches Critical Code Execution Vulnerabilities

Magento 2.3.4 Patches Critical Code Execution Vulnerabilities
2020-01-29 15:46

Magento 2.3.4 was released this week with patches for six vulnerabilities, including three that are considered critical.

Another critical flaw that could allow for the execution of arbitrary code is CVE-2020-3718, which Adobe describes as a security bypass issue.

All of the remaining three vulnerabilities patched in Magento 2.3.4 are considered important and all three could result in the disclosure of sensitive information.

These vulnerabilities were found to impact both Magento Commerce and Magento Open Source, versions 2.3.3 and earlier and 2.2.10 and earlier, as well as Magento Enterprise Edition 1.14.4.3 and earlier, and Magento Community Edition 1.9.4.3 and earlier.

In an attempt to reduce attack surface and prevent remote code execution attacks, the new Magento version converts the Custom Layout Update field on the CMS Page Edit, Category Edit, and Product Edit pages to a selector.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/Huq0iOsUnCg/magento-234-patches-critical-code-execution-vulnerabilities

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-01-29 CVE-2020-3718 Unspecified vulnerability in Magento
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a security bypass vulnerability.
network
low complexity
magento
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Magento 3 4 103 65 27 199