Security News > 2020 > January > Magento 2.3.4 Patches Critical Code Execution Vulnerabilities
Magento 2.3.4 was released this week with patches for six vulnerabilities, including three that are considered critical.
Another critical flaw that could allow for the execution of arbitrary code is CVE-2020-3718, which Adobe describes as a security bypass issue.
All of the remaining three vulnerabilities patched in Magento 2.3.4 are considered important and all three could result in the disclosure of sensitive information.
These vulnerabilities were found to impact both Magento Commerce and Magento Open Source, versions 2.3.3 and earlier and 2.2.10 and earlier, as well as Magento Enterprise Edition 1.14.4.3 and earlier, and Magento Community Edition 1.9.4.3 and earlier.
In an attempt to reduce attack surface and prevent remote code execution attacks, the new Magento version converts the Custom Layout Update field on the CMS Page Edit, Category Edit, and Product Edit pages to a selector.
News URL
Related news
- Microsoft's March Updates Fix 61 Vulnerabilities, Including Critical Hyper-V Flaws (source)
- PoC for critical Arcserve UDP vulnerabilities published (CVE-2024-0799, CVE-2024-0800) (source)
- Patch up – 4 critical bugs in ArubaOS lead to remote code execution (source)
- Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks (source)
- Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-01-29 | CVE-2020-3718 | Unspecified vulnerability in Magento Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a security bypass vulnerability. | 10.0 |