This week, Adobe has addressed multiple high-severity vulnerabilities in their Magento platform, which left hundreds of thousands of websites vulnerable to arbitrary code execution and customer list tampering attacks.
Magento is the second most popular Content Management System (CMS) platform after WordPress, which powers over 250,000 active eCommerce sites, this accounts for around 12% of all online stores. And according to Magento.com, Magento-base sites handle over $155 billion in transactions every year.
Found Magento vulnerabilities & affected Magento versions
In its security bulletin [ASPB20-59], Adobe has released patches for a total of 9 vulnerabilities that affected Magento Commerce and Magento Open Source platforms. 8 of these 9 vulnerabilities are considered either critical or important, while one is considered as a moderate Magento vulnerability.
The two critical flaws in the Magento platform are tracked as File Upload Allow List Bypass (CVE-2020-24407) and SQL Injection (CVE-2020-24400) that can allow hackers to execute the arbitrary code and even can give read or write access to the database of the victim Magento site. But both the flaws require a hacker to have already obtained the admin privileges.
While, a Stored XSS (CVE-2020-24408), if exploited, can allow hackers to arbitrary execute JavaScript in the browser – and this doesn’t require pre-authentication (i.e admin privileges) for exploitation.
Magneto sites that are using Astra Security Magento Firewall are already secured from all the above-mentioned vulnerabilities exposure.
The security bulletin also provided a list of affected versions of the Magento platform:
How to secure your Magento sites from these vulnerabilities
If your website or eCommerce store is running on an outdated Magento version, it is highly recommended to update your installation to the latest version in order to secure your Magento site/store from these vulnerabilities. Here is the list of updated/latest versions for respective Magento products:
Further, installing a web application firewall (WAF) for your website or eCommerce store can always help. A WAF can provide security against such potential vulnerabilities in your site files, plugins, extensions & themes.
How Astra Security Magneto Firewall works on your website
Astra Security WAF filters malicious traffic and potential threats and provides intelligent protection to your website / eCommerce store. It blocks XSS, SQLi, CSRF, bad bots, OWASP top 10 & 100+ other cyber attacks. This intelligent firewall detects visitor patterns on your website & automatically blocks hackers with malicious intent.