Web admins urged to update with Magecart cybercrime groups likely circling
UPDATED Adobe has patched multiple serious flaws in Magento, its popular e-commerce platform, to guard against potential arbitrary code execution attacks.
A security bulletin issued by the software giant on Tuesday (January 28) provided fixes for six vulnerabilities – three of them critical – for Magento’s Commerce, Open Source, Enterprise, and Community editions.
Applying the patches is important because payment-card skimming Magecart groups may well seek to exploit any systems that remain unpatched in the coming weeks and months.
XSS flaws accounted for two of three patched vulnerabilities (CVE-2020-3715 and CVE-2020-3758) classed by Adobe as “important”, with the remaining flaw (CVE-2020-3717) exploitable through path traversal attacks.
Website admins are advised to promptly update Magento Commerce builds to version 2.3.4 or 2.2.11, Open Source editions to 2.3.4 or 2.2.11, Enterprise Editions to 220.127.116.11, and Community Editions to 18.104.22.168.
Adobe has assigned all six patches a “priority 2” rating, which means imminent attacks are not expected and that administrators should apply the updates within 30 days.
Adobe thanked four researchers – Ernesto Martin, Blaklis, Luke Rodgers, and Djordje Marjanovic – for discovering and reporting the vulnerabilities.
Magento powers e-commerce checkouts on thousands of websites, including Nike, Cisco, and Unipart.
A researcher who discovered three of the vulnerabilities, Blaklis, told The Daily Swig that an attacker would need to be granted “some administrative access – mainly email templates, pages, and product creation – to execute arbitrary commands on the underlying system.”
“Considering it's authenticated flaws, it's important but not urgent to apply the patches,” they said.
Blaklis added that the vulnerabilities were responsibly disclosed to Magento nearly three months ago.
“While the Magento team can easily be contacted through its HackerOne program, the quarterly schedule for updates makes it a bit long to wait for patches," they said.
The Daily Swig has contacted Magento to find out more.
This article has been updated with comments from the researcher known as Blaklis.