Η Adobe released an out-of-band series updates security to correct important issues in Magento platform.
The updates were released on October 15th and do not belong to the standard monthly patch issued by Adobe. The updates correct nine vulnerabilities, eight of which are considered critical or serious. The last error considered to be of moderate severity.
Diseases affect it Magento Commerce and Magento Open Source, the publications 2.3.5-p1, 2.4.0 and older versions.
The most critical vulnerabilities in the Adobe Magento platform, which have now been resolved with the new updates, are known as CVE-2020-24407 and CVE-2020-24400. Vulnerabilities allow code execution or the access to databases data. In both cases, however, the attacker must first acquire administrator privileges in order to take advantage of the vulnerabilities.
In addition, Adobe encountered another vulnerability (CVE-2020-24402), allowing attackers to manipulate and modify customer lists.
According to ZDNet, other vulnerabilities fixed include: a cross-site scripting (XSS) error (CVE-2020-24408), a session cancellation error (CVE-2020-24401), a security vulnerability that allows Magento pages CMS may be modified without his permission user (CVE-2020-24404) and two errors that prevent access to resources (CVE-2020-24405 and CVE-2020-24403).
According to Adobe, the least dangerous error (CVE-2020-24406) is the inadvertent disclosure of the root path of a document, which could lead to the disclosure of sensitive information.
In the established monthly patch, Adobe fixed a critical vulnerability in Flash for Windows, macOS, Linux and Chrome OS. This vulnerability (CVE-2020-9746) could be used for software crashes or for malicious code execution.
This week, the Microsoft its own security updates (Patch Tuesday October 2020) to correct vulnerabilities in many of its products. In total, the company corrects 87 vulnerabilities. 21 of them allow code execution and affect Outlook, Excel and Windows TCP / IP stack.