Adobe urges users to update popular e-commerce platform

Half a dozen critical flaws give e-commerce sites good reason to update Magento

E-commerce sites that rely on the widely used Magento platform ought to update their installations following the release of a batch of security updates, some of which are critical.

Magento Commerce and Magento Open Source editions both need patching against a total of 18 CVE-rated vulnerabilities. Users should upgrade to versions 2.4.2, 2.4.1-p1 or 2.3.6-p1, as appropriate, since earlier builds are potentially vulnerable.

Catch up on the latest security vulnerability news

In its release notes, Adobe said it is “not aware of any exploits in the wild for any of the issues addressed in these updates”, while warning that successful exploitation of the worst of the flaws could result in arbitrary code execution.

The other five critical updates in the batch cover security bypass, stored cross-site scripting (XSS), XML injection, command injection, and ‘File Upload Allow List Bypass’ flaws.

In addition, Angular – which is dependent on Adobe Magento – needs to be updated because of a prototype pollution issue.

More details on the vulnerabilities, and the security researchers who discovered them, can be found in Adobe’s Magento-related security bulletin.

Other Adobe updates

Tuesday’s edition of the regular Patch Tuesday updates also brought critical updates for Adobe Acrobat and Reader as well as Photoshop, Animate, Illustrator, and Dreamweaver.

Of particular note is the CVE-2021-21017 vulnerability, which Adobe warned has been exploited in the wild in “limited attacks targeting Adobe Reader users on Windows”. An Adobe Reader-themed security notice reveals that this vulnerability was reported to it anonymously.

The Adobe releases were issued against the backdrop of Microsoft’s own February Patch Tuesday update, which this month addressed 11 critical vulnerabilities among a litter of 56 flaws.

Of particular note is a critical remote code execution (RCE) vulnerability in Microsoft DNS Server (CVE-2021-24078), which might be exploited without user interaction – making it potential fodder for worm-style malware.

Enterprises with Microsoft DNS Server in their network, especially where it is exposed to the internet, ought to be on guard.

RELATED WordPress security flaws: 800,000 sites potentially vulnerable to pwnage