Security News > 2020 > January > Magento 2.3.4 Patches Critical Code Execution Vulnerabilities
Magento 2.3.4 was released this week with patches for six vulnerabilities, including three that are considered critical.
Another critical flaw that could allow for the execution of arbitrary code is CVE-2020-3718, which Adobe describes as a security bypass issue.
All of the remaining three vulnerabilities patched in Magento 2.3.4 are considered important and all three could result in the disclosure of sensitive information.
These vulnerabilities were found to impact both Magento Commerce and Magento Open Source, versions 2.3.3 and earlier and 2.2.10 and earlier, as well as Magento Enterprise Edition 1.14.4.3 and earlier, and Magento Community Edition 1.9.4.3 and earlier.
In an attempt to reduce attack surface and prevent remote code execution attacks, the new Magento version converts the Custom Layout Update field on the CMS Page Edit, Category Edit, and Product Edit pages to a selector.
News URL
Related news
- Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications (source)
- Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited (source)
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- OvrC Platform Vulnerabilities Expose IoT Devices to Remote Attacks and Code Execution (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical vulnerabilities persist in high-risk sectors (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-01-29 | CVE-2020-3718 | Unspecified vulnerability in Magento Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a security bypass vulnerability. | 9.8 |