Magento is steadily gaining popularity as one of the most preferred eCommerce platform, with its wide range of features, security, scalability, and ease of usage. However, as with other eCommerce platforms and websites in general, there is always an inherent risk for hacking attacks by exploiting vulnerabilities in the code. Magento has been regularly releasing security patches for its users to address such issues, and store owners are always advised to check for the latest security patches and apply them to ensure optimal security for their online store. We present an overview of the latest critical and important Magento Security vulnerabilities that have been updated recently in an official release.
This would be effective for Open Source and Commerce versions 2.3.5 and below. The security Patches have been implemented in the latest 2.4 version, but would require an upgrade to Magento 2.3.5-p2 for the earlier versions.
Path Traversal (CVE-2020-9689): This is a high-risk vulnerability that would affect Magento stores even without an authentication credentials, but would require Administrative privileges to be exploited. This has been classified with the risk as “Critical”, and users are strongly recommended to upgrade to the latest version to prevent this risk. The vulnerability uses an exploitation that would help them gain access to files that are outside a restricted directory, and then slowly move towards gaining inside access to your website.
DOM-based Cross Site Scripting (CVE-2020-9691): This vulnerability has been classified as “Important” by Magento and affects stores by exploiting user-generated input to generate malicious scripts within the browser. This could affect the security of the application and can compromise user data and experience.
Observable Timing Discrepancy (CVE-2020-9690): The Observable Timing Discrepancy vulnerability exploits the gap in execution time for core processes and tries to bypass the signature verification process that can result in malicious access to your website. This risk has been classified as “Important”, and can be prevented by upgrading to Magento 2.4, or the 2.3.5-p2 version.
Security Mitigation Bypass (CVE-2020-692): The Security Mitigation Bypass affect stores even without an authentication credentials, but would require Administrative privileges to be exploited. Magento has classified this risk as “Critical”, and has recommended an upgrade to prevent this exploitation. The Security Mitigation Bypass can lead to arbitrary code execution, which can compromise your online store.
We advise store owners to upgrade to the latest version and safeguard their website from being prone to malicious access, which can compromise your customer data and performance. Stay tuned for more updates on the latest in Magento, and how you can improve your existing eCommerce implementation.
Exinent has been in the forefront of Magento Consulting, Development, Migration, Support, and Maintenance since the past decade. We have successfully scripted success stories for hundreds of eCommerce stores. If you wish to discuss on Custom Magento Development, Migration, Consulting, Security and Audit services, do Contact Us and we will be glad to help you.