Adobe Security Bulletin

Adobe Security Bulletin

Search
User Guide

On this page

Applies to: Digital Editions

某些 Creative Cloud 应用程序、服务和功能在中国不可用。

Security Updates Available for Magento | APSB20-02
Bulletin ID Date Published Priority
APSB20-02  January 28, 2020 2

Summary

Magento has released updates for Magento Commerce and Open Source editions.  These updates resolve critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution.    

Affected Versions

Product Version Platform
Magento Commerce 
 2.3.3 and earlier versions    
 All
Magento Open Source   
 2.3.3 and earlier versions    
 All
Magento Commerce 
 2.2.10 and earlier versions    
 All
Magento Open Source  
 2.2.10 and earlier versions    
 All
Magento Enterprise Edition    
 1.14.4.3 and earlier versions    
 All
Magento Community Edition   
 1.9.4.3 and earlier versions    
 All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Version Platform Priority Rating Availability
Magento Commerce    
 2.3.4 All 2 2.3.4 Commerce
Magento Open Source    
 2.3.4 All
 2
 2.3.4 Open Source
Magento Commerce    
 2.2.11 All
 2
 2.2.11 Commerce
Magento Open Source    
 2.2.11 All
 2
 2.2.11 Open Source
Magento Enterprise Edition    
 1.14.4.4 All
 2
 1.14.4 EE
Magento Community Edition    
 1.9.4.4 All
 2
 1.9.4.4 CE

Vulnerability details

Vulnerability Category Vulnerability Impact Severity Magento Bug ID    
 CVE Numbers
Stored cross-site scripting    
 Sensitive information disclosure    
 Important PRODSECBUG-2543    
 CVE-2020-3715    
Stored cross-site scripting    
 Sensitive information disclosure    
 Important    
 PRODSECBUG-2599
 CVE-2020-3758
Deserialization of untrusted data    
 Arbitrary code execution    
 Critical    
 PRODSECBUG-2579
 CVE-2020-3716
Path traversal    
 Sensitive information disclosure    
 Important    
 PRODSECBUG-2632
 CVE-2020-3717
Security bypass    
 Arbitrary code execution    
 Critical    
 PRODSECBUG-2633
 CVE-2020-3718
SQL injection    
 Sensitive information disclosure    
 Critical    
 PRODSECBUG-2660
 CVE-2020-3719

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:   

·       Ernesto Martin (CVE-2020-3715)

·       Blaklis (CVE-2020-3716, CVE-2020-3717, CVE-2020-3718)

·       Luke Rodgers (CVE-2020-3719)

·       Djordje Marjanovic (CVE-2020-3758)