Severity Rating: High
Software Affected:
· Magento Commerce 1 (Magento Enterprise Edition) 1.14.4.5 and earlier
· Magento Open Source 1 (Magento Community Edition) 1.9.4.5 and earlier
Overview
Multiple vulnerabilities have been reported in Magento 1 which could allow
an attacker with administrative privileges to execute arbitrary code or
gain access to sensitive information on a targeted system.
Description
1. PHP Object Injection Vulnerability (CVE-2020-9664)
This vulnerability exists in Magento due to an error which allows PHP
Object Injection. PHP Object Injection can be exploited via crafted user
supplied input which is not sanitized properly before being passed to the
unserialize() PHP function.
Successful exploitation of this vulnerability could allow an attacker with
administrative privileges to execute arbitrary code on the targeted system.
2. Stored Cross-Site Scripting Vulnerability (CVE-2020-9665)
This vulnerability exists in Magento due to an error which allows Stored
Cross-Site Scripting. Stored Cross-Site Scripting can be performed by
injecting a specially crafted script into a webpage of an affected system.
Successful exploitation of this vulnerability could allow an attacker with
administrative privileges to gain access to sensitive information on the
targeted system.
Solution:
Update to the latest versions as available at the following URL:
Note: Support for Magento Commerce 1.14 and Magento Open Source 1 is
ending in June 2020. Users are advised to upgrade to Magento 2.x.
Vendor Information
Adobe
References
https://www.securezoo.com/2020/06/adobe-releases-security-updates-for-magento-apsb20-41-and-eol-reminder/
IBM X-Force
CVE Name
CVE-2020-9664
CVE-2020-9665
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.