Headline
CVE-2020-24402: Adobe Security Bulletin
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.
Security Updates Available for Magento | APSB20-59
Bulletin ID
Date Published
Priority
ASPB20-59
October 15th, 2020
2
Magento has released updates for Magento Commerce and Magento Open Source. These updates resolve vulnerabilities rated important and critical. Successful exploitation could lead to arbitrary code execution.
Product
Version
Platform
Magento Commerce
2.3.5-p1 and earlier versions
All
Magento Commerce
2.3.5-p2 and earlier versions
All
Magento Commerce
2.4.0 and earlier versions
All
Magento Open Source
2.3.5-p1 and earlier versions
All
Magento Open Source
2.3.5-p2 and earlier versions
All
Magento Open Source
2.4.0 and earlier versions
All
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Vulnerability Category
Vulnerability Impact
Severity
Pre-authentication?
Admin privileges required?
Magento Bug ID
CVE numbers
File Upload Allow List Bypass
Arbitrary code execution
Critical
No
Yes
PRODSECBUG-2799
CVE-2020-24407
SQL Injection
Arbitrary read or write access to database
Critical
No
Yes
PRODSECBUG-2779
CVE-2020-24400
Improper Authorization
Unauthorized modification of customer list
Important
No
Yes
PRODSECBUG-2789
CVE-2020-24402
Insufficient Invalidation of User Session
Unauthorized access to restricted resources
Important
No
Yes
PRODSECBUG-2785
CVE-2020-24401
Improper Authorization
Unauthorized modification of Magento CMS pages
Important
No
Yes
PRODSECBUG-2796
CVE-2020-24404
Sensitive Information Disclosure
Disclosure of document root path
Moderate
No
Yes
PRODSECBUG-2798
CVE-2020-24406
Cross-site Scripting (Stored XSS)
Arbitrary JavaScript execution in the browser
Important
Yes
No
PRODSECBUG-2804
CVE-2020-24408
Improper Authorization
Unauthorized access to restricted resources
Important
No
Yes
PRODSECBUG-2797
CVE-2020-24405
Improper Authorization
Unauthorized access to restricted resources
Important
No
Yes
PRODSECBUG-2791
CVE-2020-24403
Note:
Pre-authentication: The vulnerability is exploitable without credentials.
Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges.
Additional technical descriptions of the CVEs referenced in this document will be made available on MITRE and NVD sites.
Dependency
Vulnerability Impact
Affected Versions
jQuery File Upload
Arbitrary code execution
2.4.0 and earlier versions
TinyMCE
Arbitrary JavaScript execution
2.4.0 and earlier versions
Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:
- Edgar Boda-Majer of Bugscale (CVE-2020-24408)
- Kien Hoang (CVE-2020-24402, CVE-2020-24401, CVE-2020-24404, CVE-2020-24405)
- Ihorsv (CVE-2020-24406)
- Malerisch (CVE-2020-24407)
- Dang Toan (CVE-2020-24403)
- Yonatan Offek (CVE-2020-24400)