Adobe Announced a Patch to Fix Critical Magento Vulnerabilities

Adobe recently announced a security patch for Magento 2 with 33 security improvements including fixes for 16 critical Magento vulnerabilities. Some of the vulnerabilities could let cyber attackers take over administrator sessions and even give access to customer data. These vulnerabilities affect both the Magento open source and commercial versions.

The Magento Open Source 2.4.3 release notes state that

“Thirty-three security enhancements that help close remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities.

No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions.”

Adobe Announced a Patch to Fix Critical Magento Vulnerabilities

Magento Vulnerabilities that Have Been Patched

Adobe is going to release Magento 2.4.3 version that contains 33 security enhancements. These security issues have a great impact on both open source and commercial versions of Magento.

If you’re involved in Magento 2 development, then you should consider these vulnerabilities and update the software to the latest Magento 2 version.

Open Source Versions of Magento that Are Impacted

  • 4.2-p1 and previous versions
  • 3.7 and previous versions

Commercial Versions of Magento that Are Impacted

  • 4.2 and previous versions
  • 4.2-p1 and previous versions
  • 3.7 and previous versions

Critical Magento Security Vulnerabilities

Many of the Magento vulnerabilities are rated critical. Specifically, out of 16 security vulnerabilities that were announced by Adobe, 10 of them do not need any admin or user credentials to exploit Magento.

The other 6 security vulnerabilities require that a cyber attacker already has administrator-level privilege.

11 Critical Magento Vulnerabilities

While all Magento vulnerabilities should not be overlooked, the ones that are rated as critical are more serious and dangerous.

Four Kinds of Security Vulnerabilities:

  • Application denial-of-service (1)
  • Privilege escalation (1)
  • Security feature bypass (2)
  • Arbitrary code execution (7 vulnerabilities)

Magento Arbitrary Code Execution Exploits

The Arbitrary Code Execution exploits impacting Magento includes 6 types of attacks:

  • Improper Input Validation
  • Improper Access Control
  • Path Traversal
  • OS Command Injection
  • Server-Side Request Forgery (SSRF)
  • XML Injection (aka Blind XPath Injection)

A Few Instances of Magento Security Feature Bypass Exploits

There are two types of Magento Security Feature Bypass issues compromising Magento that are fixed in the Magento 2.4.3 version.

  • Improper Input Validation

This type of issue indicates a failure of proper input validation that is dangerous for the software process. This issue allows a cyber attacker to create an unexpected input that can cause arbitrary code execution.

  • Improper Authorization

An Improper Authorization exploit in Magento occurs when the software is not able to properly verify if the user has the privilege levels person creating the inputs as the proper credentials.

One common feature of the aforementioned exploits is that they help a cyber attacker to gain access to confidential and sensitive areas of the software to execute arbitrary commands.

Adobe has released updates for Magento Commerce and Magento Open Source versions. These updates fix Magento security vulnerabilities that are rated as critical. Successful exploitation of Magento vulnerabilities could result in arbitrary code execution.

The Latest Updated Magento 2.4.3 Version

If you’ve invested in Magento 2 development, it is safe to update to the latest Magento 2.4.3 version. According to Adobe’s release notes, there are some backward compatibility issues as well. However, some of the updates are released independently and so you can update accordingly.

If you’re a newbie, you can hire Magento developers for seamless Magento 2 upgrade services.

Here are the improvements that come with Magento 2.4.3.

  • Platform Quality

The new release brings numerous platform quality fixes such as reduced indexing time for Product Price and Catalog Rules. Online merchants can now eliminate a website from a customer group or shared catalog, which decreases the number of records and enhances indexing times. The release also features expansion of the GraphQL API to include gift registries and more B2B functionality. Additionally, a new PayPal Later payment option for Magento’s native PayPal integration helps in increasing sales by allowing customers to pay for an order in two-week installments instead of paying the total price at one go.

  • Security

Magento 2.4.3 fixes several security issues and brings enhancements including expansion of ReCAPTCHA security to the web-API to prevent spam and exploitation, the addition of default web-API rate-limiting to prevent DDOS attacks, and a new Composer plugin to avoid Dependency Confusion.

If you want to leverage the security features and benefits of Magento 2.4.3, then you can hire Magento developers at Magento India for reliable Magento 2 upgrade services.

Final Note

So, these are some of the quick updates regarding the critical Magento vulnerabilities and the enhancements the new Magento 2 version comes with.

As a leading Magento 2 development company, we offer reliable Magento 2 upgrade services to keep your Magento store up-to-date always. If you’re planning to upgrade or migrate to the latest Magento version, then you may speak to our Magento 2 experts now.

Frequently Asked Questions

Q.1. How secure is Magento?

Ans. Magento provides built-in security features that help in reducing security issues and risks such as data theft, data leaks, illegal transactions, and malware attacks.

Q.2. What are the main security features in Magento 2?

Ans. Magento 2 comes with three main security features:

  • Adaptable file permissions
  • Password management tools
  • Regular updates

Q.3. How do I update my store to Magento 2?

Ans. To update from Magento 1 to the latest version of Magento 2, you can follow the below-given steps:

  • Back up your Magento store.
  • Enable maintenance mode.
  • Upgrade to Magento 2
  • Check the latest Magento 2 version.
  • Update to Magento 2 Service.

Looking for Magento professionals, our experts can help you

Talk To Experts