Last week on August 8th, 2023, Adobe released a critical security patch for Adobe Commerce and the Magento Open Source CMS. The patch provides fixes for three vulnerabilities which affect the popular ecommerce platforms. Successful exploitation could lead to arbitrary code execution, privilege escalation and arbitrary file system read.
Affected versions of Magento Open Source are as follows:
- 2.4.6-p1 and earlier
- 2.4.5-p3 and earlier
- 2.4.4-p4 and earlier
Website administrators are advised to update their software immediately to mitigate risk to their Magento and Adobe Commerce environments.
Vulnerability details
OS Command Injection
Security Risk: Critical Base Score: 9.1 Exploitation Level: Requires Admin authentication. Vulnerability: Arbitrary Code Execution CVE: CVE-2023-38208
Originally reported to Adobe by researcher Blaklis, CVE-2023-38208 is the most severe vulnerability fixed in this latest update. If left unpatched, it can lead to arbitrary code execution by an authenticated Admin user, potentially allowing a bad actor to execute commands in the targeted environment.
It’s not uncommon for attackers to create malicious administrator accounts within compromised Magento environments. If an attacker is already able to authenticate into an admin account then the environment is already compromised, but this vulnerability would allow attackers even more leeway and control over the environment.
Improper Access Control
Security Risk: Medium Base score: 6.5 Exploitation Level: Requires low-level authentication. Vulnerability: Privilege Escalation CVE: CVE-2023-38209
Originally reported to Adobe by researcher wohlie, CVE-2023-38209 is a medium level vulnerability that occurs due to improper access restrictions for unauthorized users. If left unpatched, it can allow low-privilege users to access other user’s data within the Magento environment.
XML Injection / Blind XPath Injection
Security Risk: Medium Base score: 5.3 Exploitation Level: No authentication required. Vulnerability: Arbitrary File System Read CVE: CVE-2023-38207
Originally reported to Adobe by researcher wohlie, CVE-2023-38207 is a medium level vulnerability that occurs because special elements used in XML are not properly neutralized. If left unpatched, it can lead to minor arbitrary file system read in the Magento environment.
Mitigation steps
All three of these vulnerabilities could result in exploitation by attackers if left unpatched. Updating Adobe Commerce and Magento Open Source to the latest security release will help fix these security flaws and mitigate risk to your Magento environment.
Magento users should update their software to the following versions:
- Magento Open Source 2.4.6-p2 for versions 2.4.6 and earlier
- Magento Open Source 2.4.5-p4 for versions 2.4.5-p3 and earlier
- Magento Open Source 2.4.4-p5 for versions 2.4.4-p3 and earlier
If you believe your Magento environment has already been compromised or infected with malware, we can help. Reach out to our team to chat with our remediation specialists.
Ben Martin is a security analyst and researcher who joined the company in 2013. Ben's main responsibilities include finding new undetected malware, identifying trends in the website security world, and, of course, cleaning websites. His professional experience covers more than eight years of working with infected websites, writing blog posts, and taking escalated tickets. When Ben isn't slaying malware, you might find him editing audio, producing music, playing video games, or cuddling with his cat. Connect with him on Twitter