Adobe this week released a security update fixing four vulnerabilities – two critical – in its Magento Commerce 2 and Magento Open Source 2 e-commerce platforms.
The two most significant bugs are identified as a path traversal flaw (CVE-2020-9689) and a Security Mitigation bypass (CVE-2020-9692), both of which can result in arbitrary code execution. The first issue is credited was reported by Edgar Boda-Majer of Bugscale and Blaklis, and the second was reported by Boda-Majer alone.
The remaining two vulnerabilities are categorized as important and consist of an observable timing discrepancy that can lead to a signature verification bypass and a DOM-based cross-site scripting bug that can result in arbitrary code execution.
The problems have been fixed in Magento Commerce 2 versions 2.4.0 and 2.3.5-p2, and Magento Open Source 2 versions 2.4.0 and 2.3.5-p2.
