Threat Watch

Magento Update Fixes Multiple Code Execution Vulnerabilities

Adobe released an update yesterday for all editions of Magento, fixing six different vulnerabilities. Out of the three vulnerabilities that were marked as critical, two of them had the possibility to lead to code execution. The group behind many of these online skimming attacks is known as “MageCart” due to their targeting of Magento sites. Affected stores typically have extra JavaScript files added to the page that steals customer and credit card information from the form.

Addressed Vulnerabilities

  • CVE-2020-3715 – Sensitive information disclosure
  • CVE-2020-3758 – Sensitive information disclosure
  • CVE-2020-3716 – Arbitrary code execution
  • CVE-2020-3717 – Sensitive information disclosure
  • CVE-2020-3718 – Arbitrary code execution
  • CVE-2020-3719 – Sensitive information disclosure

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

Operators of Magento sites should update to the latest version as soon as possible to prevent exploitation. On top of keeping the software up-to-date, monitoring for changes to files on the web server can alert administrators of unexpected changes to source code that could be malicious. Consider implementing a Content Security Policy to keep JavaScript from communicating with unexpected external domains. When possible, host all JavaScript dependencies locally rather than using external CDNs. This will allow file monitoring to alert administrators to changes in these files as well.

Source: https://www.bleepingcomputer.com/news/security/magento-234-fixes-critical-code-execution-vulnerabilities/, https://helpx.adobe.com/security/products/magento/apsb20-02.html

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support