Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Magento Update Released to Fix Critical Flaws Affecting E-Commerce Sites

MagentoMagento

Adobe on Tuesday shipped security updates[1]
to remediate multiple critical vulnerabilities in its Magento
e-commerce platform that could be abused by an attacker to execute
arbitrary code and take control of a vulnerable system.

The issues[2]
affect 2.3.7, 2.4.2-p1, 2.4.2, and earlier versions of Magento
Commerce, and 2.3.7, 2.4.2-p1, and all prior versions of Magento
Open Source edition. Of the 26 flaws addressed, 20 are rated
critical, and six are rated Important in severity. None of the
vulnerabilities fixed this month by Adobe are listed as publicly
known or under active attack at the time of release.

Stack Overflow Teams

The most concerning of the bugs are as follows –

  • CVE-2021-36021, CVE-2021-36024, CVE-2021-36025,
    CVE-2021-36034, CVE-2021-36035, CVE-2021-36040, CVE-2021-36041, and
    CVE-2021-36042     (CVSS score: 9.1) – Arbitrary code
    execution due to improper input validation
  • CVE-2021-36022 and CVE-2021-36023 (CVSS score:
    9.1) – Arbitrary code execution due to OS command injection
  • CVE-2021-36028 and CVE-2021-36033 (CVSS score:
    9.1) – Arbitrary code execution due to XML injection
  • CVE-2021-36036 (CVSS score: 9.1) – Arbitrary
    code execution due to improper access control
  • CVE-2021-36029 (CVSS score: 9.1) – Security
    feature bypass
  • CVE-2021-36032 (CVSS score: 8.3) – Privilege
    escalation
  • CVE-2021-36020 (CVSS score: 8.2) – Arbitrary
    code execution due to XML injection
  • CVE-2021-36043 (CVSS score: 8.0) – Arbitrary
    code execution due to server-side request forgery (SSRF)
  • CVE-2021-36044 (CVSS score: 7.5) – Application
    denial-of-service
  • CVE-2021-36030 (CVSS score: 7.5) – Security
    feature bypass
  • CVE-2021-36031 (CVSS score: 7.2) – Arbitrary
    code execution due to path traversal

Successful exploitation of the aforementioned pre-authentication
vulnerabilities could be abused by an adversary to escalate
privileges and run malicious code, thus enabling the threat actor
to seize control of a Magento site and its server.

Users are highly advised to move quickly to download the
appropriate patches and install them to mitigate the risks
associated with the flaws.

References

  1. ^
    security
    updates     (helpx.adobe.com)
  2. ^
    issues
    (helpx.adobe.com)

Read more