Security News

Thousands of Magento-powered online stores have been hacked over the past few days as part of a skimming campaign that has been described as the "Largest ever." Sansec on Monday reported seeing nearly 2,000 Magento stores that have been compromised as part of this campaign since Friday - over 1,000 stores were hacked on Saturday, more than 600 on Sunday, and over 200 so far on Monday.

Satnam Narang, staff research engineer at Tenable, told Threatpost that researchers can't definitively say how many Magento sites are vulnerable - however, they were able to identify at least 1,500 websites indexed through search engines that use the Magmi plugin. The second, now patched flaw, CVE-2020-5777, is an authentication bypass flaw in Magmi for Magento version 0.7.23 and below.

Critical flaws in Adobe's Magento e-commerce platform - which is commonly targeted by attackers like the Magecart cybergang - could enable arbitrary code execution on affected systems. Adobe on Tuesday released security updates for flaws affecting Magento Commerce 2 and Magento Open Source 2, versions 2.3.5-p1 and earlier.

With Magento 1 reaching end-of-life on Tuesday, Adobe is making a last-ditch effort to urge the 100,000 online stores still running the outdated version to migrate to Magento 2. Adobe is pulling the plug on security fixes for Magento Commerce 1.14 and Magento Open Source 1.

When Adobe released security updates for Magento last week, it warned that the Magento 1.x branch is reaching end-of-life and support on June 30, 2020, and that those were the final security patches available for Magento Commerce 1.14 and Magento Open Source 1. "If you have a store that continues to run on Magento 1 after June 30, please be aware that from that date forward you have increased responsibility for maintaining your site's security and PCI DSS compliance," Adobe warned.

After a light Patch Tuesday earlier this month, Adobe has issued an unexpectedly large bundle of critical security fixes for flaws affecting its Magento, Bridge and Illustrator products. The vulnerabilities affect version 10.0.1 and earlier for Windows and updates to Bridge version 10.0.4 for both Windows and macOS. The different versions of the Magento ecommerce platform, Open Source and Enterprise offers fixes for 13 CVEs, including six rated critical in APSB20-22, and individually listed with PRODSECBUG numbers.

Adobe has pushed out security updates fixing critical flaws in Magento Commerce, Open Source Enterprise and Community editions, Adobe Illustrator 2020 for Windows, and Adobe Bridge for Windows. The Adobe Illustrator vector graphics editor has been updated to close five critical memory corruption vulnerabilities that could be exploited for arbitrary code execution.

Updates released by Adobe on Tuesday for the Magento Commerce and Open Source editions address multiple critical severity vulnerabilities that could lead to arbitrary code execution. A total of six critical vulnerabilities were patched in the popular e-commerce platform, none of which requires authentication for a successful exploitation.

Adobe is warning of critical flaws in Adobe Bridge, Adobe Illustrator and the Magento e-commerce platform. The majority of these flaws affect Adobe Bridge, the company's digital asset management software.

It's not 'Patch Tuesday,' but software giant Adobe today released emergency updates for three of its widely used products that patch dozens of newly discovered critical vulnerabilities. The list of affected software includes Adobe Illustrator, Adobe Bridge, and Magento e-commerce platform, containing a total of 35 vulnerabilities where each one of them is affected with multiple critical arbitrary code execution flaws.