Adobe on Tuesday shipped protection updates to remediate a number of important vulnerabilities in its Magento e-commerce system that could be abused by an attacker to execute arbitrary code and choose command of a vulnerable process.
The concerns have an affect on 2.3.7, 2.4.2-p1, 2.4.2, and earlier versions of Magento Commerce, and 2.3.7, 2.4.2-p1, and all prior variations of Magento Open up Supply edition. Of the 26 flaws addressed, 20 are rated critical, and six are rated Significant in severity. None of the vulnerabilities fixed this thirty day period by Adobe are shown as publicly recognised or beneath lively attack at the time of release.
The most concerning of the bugs are as follows –
- CVE-2021-36021, CVE-2021-36024, CVE-2021-36025, CVE-2021-36034, CVE-2021-36035, CVE-2021-36040, CVE-2021-36041, and CVE-2021-36042 (CVSS rating: 9.1) – Arbitrary code execution due to inappropriate input validation
- CVE-2021-36022 and CVE-2021-36023 (CVSS rating: 9.1) – Arbitrary code execution because of to OS command injection
- CVE-2021-36028 and CVE-2021-36033 (CVSS rating: 9.1) – Arbitrary code execution thanks to XML injection
- CVE-2021-36036 (CVSS rating: 9.1) – Arbitrary code execution owing to improper entry command
- CVE-2021-36029 (CVSS score: 9.1) – Security element bypass
- CVE-2021-36032 (CVSS rating: 8.3) – Privilege escalation
- CVE-2021-36020 (CVSS score: 8.2) – Arbitrary code execution thanks to XML injection
- CVE-2021-36043 (CVSS rating: 8.) – Arbitrary code execution owing to server-aspect request forgery (SSRF)
- CVE-2021-36044 (CVSS rating: 7.5) – Application denial-of-service
- CVE-2021-36030 (CVSS rating: 7.5) – Stability feature bypass
- CVE-2021-36031 (CVSS rating: 7.2) – Arbitrary code execution due to route traversal
Successful exploitation of the aforementioned pre-authentication vulnerabilities could be abused by an adversary to escalate privileges and operate destructive code, so enabling the threat actor to seize management of a Magento web-site and its server.
People are extremely encouraged to transfer rapidly to download the acceptable patches and put in them to mitigate the dangers affiliated with the flaws.