Quote:Critical vulnerabilities in Adobe’s Magento e-commerce platform – a favorite target of the Magecart cybergang – could lead to arbitrary code execution.
Adobe issued patches on Tuesday as part of its overall release of the Magento 2.3.4 upgrade, giving the fixes a “priority 2” rating. In Adobe parlance, priority 2 means that administrators should apply the updates within 30 days.
Out of the flaws, Adobe has fixed three that it rates as critical in severity, meaning that successful exploits could “allow malicious native code to execute, potentially without a user being aware.”
Two of these could allow arbitrary code execution: CVE-2020-3716 is a deserialization of untrusted data flaw; and CVE-2020-3718 is a security bypass issue.
The bug tracked as CVE-2020-3719 meanwhile would allow SQL injection if successfully exploited. SQL injection attacks occur when a website developer doesn’t sanitize user-supplied data, which can lead to arbitrary reading and writing of data used within a web application. An attacker can take advantage by sending a malicious search query in the search box of a website.
Adobe also patched a handful of bugs that it rates “important” in severity – defined as issues that could allow “access to confidential data, or could compromise processing resources in a user’s computer.”
Read more: https://threatpost.com/critical-flaws-ma...on/152343/
![[-]](https://www.geeks.fyi/images/collapse.png)
