14 DAY TRIAL // In order to address numerous high severity vulnerabilities in Adobe's e-commerce platform Magento, a significant set of security updates was released on Monday, according to The Hacker News.
Magento 2.4.2, 2.4.2-p1, and 2.3.7, as well as any earlier version of Magento, are all affected by the major vulnerabilities, as are Magento Open Source edition versions 2.3.7, 2.4.2-p1, and any prior versions of Magento Open Source edition. 20 out of the 26 vulnerabilities are considered severe, while 6 are deemed to be of extreme significance.
All vulnerabilities patched this month were unknown to the general public at the time of their release and were not the target of an active attack. An attacker who successfully exploited these vulnerabilities can obtain elevated access, run malicious code and take control of a Magento website along with the host server. Magento users are strongly advised to apply the necessary updates as soon as possible in order to mitigate the risks associated.
The following vulnerabilities have been addressed by the most recent patches:
- CVE-2021-36031 - Arbitrary code execution due to path bypass, with a CVSS score of 9.1
- CVE-2021-36021 - Execution of arbitrary code due to improper input validation, with a CVSS score of 9.1
- CVE-2021-36044 - Application denial of service, with a CVSS score of 7.5
- CVE-2021-36025 - Execution of arbitrary code due to improper input validation, with a CVSS score of 9.1
- CVE-2021-36020 - Arbitrary code execution due to XML injection, with a CVSS score of 9.1
- CVE-2021-36024 - Execution of arbitrary code due to improper input validation, with a CVSS score of 9.1
- CVE-2021-36029 - Security feature bypassing, with a CVSS score of 9.1
- CVE-2021-36028 and CVE-2021-36033 - Execution of arbitrary code due to XML injection, with a CVSS score of 9.1
- CVE-2021-36035 - Execution of arbitrary code due to improper input validation, with a CVSS score of 9.1
- CVE-2021-36040, CVE-2021-36041, and CVE-2021-36042 - Execution of arbitrary code due to improper input validation, with a CVSS score of 9.1
- CVE-2021-36022 and CVE-2021-36023 - OS command injection, a common attack vector, resulting in arbitrary code execution, with a CVSS score of 9.1
- CVE-2021-36036 - Execution of arbitrary code due to improper access control, with a CVSS score of 9.1
- CVE-2021-36034 - Execution of arbitrary code due to improper input validation, with a CVSS score of 9.1
- CVE-2021-36032 - Privilege escalation, with a CVSS score of 8.3
- CVE-2021-36043 - Execution of arbitrary code due to server-side request forgery (SSRF), with a CVSS score of 8.0
- CVE-2021-36030 - Security feature bypassing, with a CVSS score of 7.5