ID CVE-2020-24405 Type cve Reporter cve@mitre.org Modified 2020-11-12T17:59:00
Description
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization.
{"threatpost": [{"lastseen": "2020-10-15T21:03:04", "bulletinFamily": "info", "cvelist": ["CVE-2020-24400", "CVE-2020-24401", "CVE-2020-24402", "CVE-2020-24403", "CVE-2020-24404", "CVE-2020-24405", "CVE-2020-24407", "CVE-2020-24408"], "description": "Two critical flaws in Magento \u2013 Adobe\u2019s e-commerce platform that is commonly targeted by attackers like the [Magecart threat group](<https://threatpost.com/magecart-blue-bear-attack/151585/>) \u2013 could enable arbitrary code execution on affected systems.\n\nRetail is set to boom in the coming months \u2013 between [this week\u2019s Amazon Prime Day](<https://threatpost.com/amazon-prime-day-spurs-spike-in-phishing-fraud-attacks/159960/>) and [November\u2019s Black Friday](<https://threatpost.com/black-friday-shoppers-scams-fake-domains/150593/>) \u2013 which puts pressure on Adobe to rapidly patch up any holes in the popular Magento open-source platform, which powers many online shops.\n\nThe company on Thursday disclosed two critical flaws, six important-rated errors and one moderate-severity vulnerability plaguing both Magento Commerce (which is aimed at enterprises that need premium support levels, and has a license fee starting at $24,000 annually) and Magento Open Source (its free alternative).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe most severe of these include a vulnerability that allows for arbitrary code execution. The issue stems from the application not validating full filenames when using an \u201callow list\u201d method to check the file extensions. This could enable an attacker to bypass the validation and upload a malicious file. In order to exploit this flaw (CVE-2020-24407), attackers would not need pre-authentication (meaning the flaw is exploitable without credentials) \u2013 however, they would need administrative privileges.\n\nThe other critical flaw is an SQL injection vulnerability. This is a type of web security flaw that allows an attacker to interfere with the queries that an application makes to its database. An attacker without authentication \u2013 but also with administrative privileges \u2013 could exploit this bug in order to gain arbitrary read or write access to a database.\n\nAdobe also issued patches for various important improper-authorization vulnerabilities, which occur when an application does not properly check that a user is authorized to access functionality \u2014 which could ultimately expose data. These include a flaw that could allow unauthorized modification of Magento content management system (CMS) pages (CVE-2020-24404), one that could enable the unauthorized modification of an e-commerce business customer list (CVE-2020-24402) and two that could allow for unauthorized access to restricted resources (CVE-2020-24405 and CVE-2020-24403).\n\nAnother important vulnerability stems from an insufficient validation of a User Session, which could give an attacker unauthorized access to restricted resources (CVE-2020-24401).\n\nFor all of the flaws above, an attacker would need to have administrative privileges, but wouldn\u2019t need pre-authentication to exploit the flaw, according to Adobe.\n\nFinally, an important-severity cross-site scripting flaw (CVE-2020-24408) was also addressed, which could allow for arbitrary JavaScript execution in the browser. To exploit this, an attacker wouldn\u2019t need administrative privileges, but they would need credentials.\n\nSpecifically affected are Magento Commerce, versions 2.3.5-p1 and earlier and 2.4.0 and earlier; as well as Magento Open Source, versions 2.3.5-p1 and earlier and 2.4.0 and earlier. Adobe has issued patches (below) in Magento Commerce and Magento Open Source versions 2.4.1 and 2.3.6, and \u201crecommends users update their installation to the newest version.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/15154827/magento.png>)\n\nThe update for all vulnerabilities is a priority 2, meaning they exist in a product that has historically been at elevated risk \u2013 but for which there are currently no known exploits.\n\n\u201cBased on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days),\u201d according to the firm.\n\nIndeed, Magento has had its share of security flaws over the past year. In July, [Adobe fixed two critical vulnerabilities and two important-severity flaws](<https://threatpost.com/critical-magento-flaws-code-execution/157840/>) that could have enabled code execution and a signature-verification bypass. And in April, Adobe [patched several critical flaws](<https://helpx.adobe.com/security/products/magento/apsb20-22.html>) in Magento, which if exploited could lead to arbitrary code execution or information disclosure.\n\nThe issue also comes after [Magento 1 reached end-of-life (EOL) in June,](<https://threatpost.com/tuesdays-magento-1-eol-100k-online-stores/157000/>) with Adobe making a last-ditch effort to urge the 100,000 online stores still running the outdated version to migrate to Magento 2. E-commerce merchants must [migrate to Magento 2](<https://magento.com/blog/magento-news/support-magento-1-software-ends-june-30-2020>), which was released five years ago.\n", "modified": "2020-10-15T20:59:30", "published": "2020-10-15T20:59:30", "id": "THREATPOST:785BBBEDA09A3CE4F8ACBCFA48B51AD2", "href": "https://threatpost.com/critical-magento-holes-online-shops-code-execution/160181/", "type": "threatpost", "title": "Critical Magento Holes Open Online Shops to Code Execution", "cvss": {"score": 0.0, "vector": "NONE"}}]}
