Adobe released an update yesterday for all editions of Magento, fixing six different vulnerabilities. Out of the three vulnerabilities that were marked as critical, two of them had the possibility to lead to code execution. The group behind many of these online skimming attacks is known as “MageCart” due to their targeting of Magento sites. Affected stores typically have extra JavaScript files added to the page that steals customer and credit card information from the form.
Addressed Vulnerabilities
- CVE-2020-3715 – Sensitive information disclosure
- CVE-2020-3758 – Sensitive information disclosure
- CVE-2020-3716 – Arbitrary code execution
- CVE-2020-3717 – Sensitive information disclosure
- CVE-2020-3718 – Arbitrary code execution
- CVE-2020-3719 – Sensitive information disclosure
Analyst Notes
Operators of Magento sites should update to the latest version as soon as possible to prevent exploitation. On top of keeping the software up-to-date, monitoring for changes to files on the web server can alert administrators of unexpected changes to source code that could be malicious. Consider implementing a Content Security Policy to keep JavaScript from communicating with unexpected external domains. When possible, host all JavaScript dependencies locally rather than using external CDNs. This will allow file monitoring to alert administrators to changes in these files as well.
Source: https://www.bleepingcomputer.com/news/security/magento-234-fixes-critical-code-execution-vulnerabilities/, https://helpx.adobe.com/security/products/magento/apsb20-02.html
