Two code execution vulnerabilities were fixed by Adobe in Magento Commerce versions 2.3.5-p1 and earlier, and Magento Open Source versions 2.3.5-p1 and earlier. One of the vulnerabilities is rated as critical (CVE-2020-9689), and the other one as important (CVE-2020-9691).
Vulnerabilities in Magento Commerce versions 2.3.5-p1 and earlier, and Magento Open Source versions 2.3.5-p1 and earlier
The critical CVE-2020-9689 flaw has been caused by a path traversal issue which could allow attackers with admin privileges to execute arbitrary code, security researchers say. The important bug, known as CVE-2020-9691, is described as pre-auth DOM-based cross-site scripting issue (XSS) which could allow unauthenticated threat actors to run arbitrary code on vulnerable systems.
It should be noted that a third vulnerability was also patched – CVE-2020-9690. This issue is a result of an observable timing discrepancy bug, which could allow attackers with admin privileges to bypass signature verification.
Also Read Doki Malware Set Against Docker Servers
These are not the first critical code execution flaws in Magento, as two other sets of such bugs were addressed in January and then in April. All these vulnerabilities could allow attackers to run arbitrary code, in case a successful exploit would take place.
Exactly a month ago, Magento eCommerce-powered sites that were running on the 1.x branch needed to update their installations to protect themselves from potential hacking attacks that could be launched against the older branch. This was due to an end-of-life stage which was scheduled for June 30. This also meant that Adobe would no longer provide security updates to the platform.