Magento has released updates for Magento Commerce and Open Source editions. These updates resolve critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution.
Product | Version | Platform |
---|---|---|
Magento Commerce |
2.3.3 and earlier versions |
All |
Magento Open Source |
2.3.3 and earlier versions |
All |
Magento Commerce |
2.2.10 and earlier versions |
All |
Magento Open Source |
2.2.10 and earlier versions |
All |
Magento Enterprise Edition |
1.14.4.3 and earlier versions |
All |
Magento Community Edition |
1.9.4.3 and earlier versions |
All |
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product | Version | Platform | Priority Rating | Availability |
Magento Commerce |
2.3.4 | All | 2 | 2.3.4 Commerce |
Magento Open Source |
2.3.4 | All |
2 |
2.3.4 Open Source |
Magento Commerce |
2.2.11 | All |
2 |
2.2.11 Commerce |
Magento Open Source |
2.2.11 | All |
2 |
2.2.11 Open Source |
Magento Enterprise Edition |
1.14.4.4 | All |
2 |
1.14.4 EE |
Magento Community Edition |
1.9.4.4 | All |
2 |
1.9.4.4 CE |
Vulnerability Category | Vulnerability Impact | Severity | Magento Bug ID |
CVE Numbers |
Stored cross-site scripting |
Sensitive information disclosure |
Important | PRODSECBUG-2543 |
CVE-2020-3715 |
Stored cross-site scripting |
Sensitive information disclosure |
Important |
PRODSECBUG-2599 |
CVE-2020-3758 |
Deserialization of untrusted data |
Arbitrary code execution |
Critical |
PRODSECBUG-2579 |
CVE-2020-3716 |
Path traversal |
Sensitive information disclosure |
Important |
PRODSECBUG-2632 |
CVE-2020-3717 |
Security bypass |
Arbitrary code execution |
Critical |
PRODSECBUG-2633 |
CVE-2020-3718 |
SQL injection |
Sensitive information disclosure |
Critical |
PRODSECBUG-2660 |
CVE-2020-3719 |
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:
· Ernesto Martin (CVE-2020-3715)
· Blaklis (CVE-2020-3716, CVE-2020-3717, CVE-2020-3718)
· Luke Rodgers (CVE-2020-3719)
· Djordje Marjanovic (CVE-2020-3758)