Magento has released updates for Magento Commerce 2 (formerly known as Magento Enterprise Edition) and Magento Open Source 2 (formerly known as Magento Community Edition). These updates resolve vulnerabilities rated Important and Critical . Successful exploitation could lead to arbitrary code execution and signature verification bypass.
Product | Version | Platform |
---|---|---|
Magento Commerce 2 |
2.3.5-p1 and earlier versions |
All |
Magento Open Source 2 |
2.3.5-p1 and earlier versions |
All |
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product | Updated Version | Platform | Priority Rating | Release Notes |
Magento Commerce 2 |
2.4.0 | All |
2 |
2.4.0 Commerce |
Magento Open Source 2 |
2.4.0 | All |
2 |
2.4.0 Open Source |
Magento Commerce 2 |
2.3.5-p2 | All | 2 | N/A |
Magento Open Source 2 |
2.3.5-p2 | All | 2 | N/A |
Note:
Pre-authentication: The vulnerability is exploitable without credentials.
Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges.
Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:
- Edgar Boda-Majer of Bugscale and Blaklis (CVE-2020-9689)
- Wasin Sae-ngow (CVE-2020-9690)
- Linus Särud (CVE-2020-9691)
- Edgar Boda-Majer of Bugscale (CVE-2020-9692)