Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
    Dublin
  • County:
    Dublin
  • Country:
    Ireland
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

Magento Update Released to Fix Critical Flaws Affecting E-Commerce Sites

August 11, 2021
Magento

Adobe on Tuesday shipped security updates to remediate a number of important vulnerabilities in its Magento e-commerce platform that may very well be abused by an attacker to execute arbitrary code and take management of a susceptible system.

The issues have an effect on 2.3.7, 2.4.2-p1, 2.4.2, and earlier variations of Magento Commerce, and a couple of.3.7, 2.4.2-p1, and all prior variations of Magento Open Supply version. Of the 26 flaws addressed, 20 are rated important, and 6 are rated Vital in severity. Not one of the vulnerabilities fastened this month by Adobe are listed as publicly recognized or beneath energetic assault on the time of launch.

Stack Overflow Teams

Essentially the most regarding of the bugs are as follows –

  • CVE-2021-36021, CVE-2021-36024, CVE-2021-36025, CVE-2021-36034, CVE-2021-36035, CVE-2021-36040, CVE-2021-36041, and CVE-2021-36042 (CVSS rating: 9.1) – Arbitrary code execution as a consequence of improper enter validation
  • CVE-2021-36022 and CVE-2021-36023 (CVSS rating: 9.1) – Arbitrary code execution as a consequence of OS command injection
  • CVE-2021-36028 and CVE-2021-36033 (CVSS rating: 9.1) – Arbitrary code execution as a consequence of XML injection
  • CVE-2021-36036 (CVSS rating: 9.1) – Arbitrary code execution as a consequence of improper entry management
  • CVE-2021-36029 (CVSS rating: 9.1) – Safety characteristic bypass
  • CVE-2021-36032 (CVSS rating: 8.3) – Privilege escalation
  • CVE-2021-36020 (CVSS rating: 8.2) – Arbitrary code execution as a consequence of XML injection
  • CVE-2021-36043 (CVSS rating: 8.0) – Arbitrary code execution as a consequence of server-side request forgery (SSRF)
  • CVE-2021-36044 (CVSS rating: 7.5) – Utility denial-of-service
  • CVE-2021-36030 (CVSS rating: 7.5) – Safety characteristic bypass
  • CVE-2021-36031 (CVSS rating: 7.2) – Arbitrary code execution as a consequence of path traversal

Profitable exploitation of the aforementioned pre-authentication vulnerabilities may very well be abused by an adversary to escalate privileges and run malicious code, thus enabling the menace actor to grab management of a Magento web site and its server.

Customers are extremely suggested to maneuver rapidly to obtain the suitable patches and set up them to mitigate the dangers related to the issues.

Posted in SecurityTags:
Write a comment