==================================================================== CERT-Renater Note d'Information No. 2020/VULN064 _____________________________________________________________________ DATE : 06/02/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Magento Commerce, Magento Open Source versions prior to 2.3.4, 2.2.11, Magento Enterprise Edition versions prior to 1.14.4.4, Magento Community Edition versions prior to 1.9.4.4. ===================================================================== https://helpx.adobe.com/security/products/magento/apsb20-02.html _____________________________________________________________________ Adobe Security Bulletin Security Updates Available for Magento | APSB20-02 Bulletin ID Date Published Priority APSB20-02 January 28, 2020 2 Summary Magento has released updates for Magento Commerce and Open Source editions. These updates resolve critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution. Affected Versions Product Version Platform Magento Commerce 2.3.3 and earlier versions All Magento Open Source 2.3.3 and earlier versions All Magento Commerce 2.2.10 and earlier versions All Magento Open Source 2.2.10 and earlier versions All Magento Enterprise Edition 1.14.4.3 and earlier versions All Magento Community Edition 1.9.4.3 and earlier versions All Solution Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version. Product Version Platform Priority Rating Availability Magento Commerce 2.3.4 All 2 2.3.4 Commerce Magento Open Source 2.3.4 All 2 2.3.4 Open Source Magento Commerce 2.2.11 All 2 2.2.11 Commerce Magento Open Source 2.2.11 All 2 2.2.11 Open Source Magento Enterprise Edition 1.14.4.4 All 2 1.14.4 EE Magento Community Edition 1.9.4.4 All 2 1.9.4.4 CE Vulnerability details Vulnerability Category Vulnerability Impact Severity Magento Bug ID CVE Numbers Stored cross-site scripting Sensitive information disclosure Important PRODSECBUG-2543 CVE-2020-3715 Stored cross-site scripting Sensitive information disclosure Important PRODSECBUG-2599 CVE-2020-3758 Deserialization of untrusted data Arbitrary code execution Critical PRODSECBUG-2579 CVE-2020-3716 Path traversal Sensitive information disclosure Important PRODSECBUG-2632 CVE-2020-3717 Security bypass Arbitrary code execution Critical PRODSECBUG-2633 CVE-2020-3718 SQL injection Sensitive information disclosure Critical PRODSECBUG-2660 CVE-2020-3719 Acknowledgments Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: · Ernesto Martin (CVE-2020-3715) · Blaklis (CVE-2020-3716, CVE-2020-3717, CVE-2020-3718) · Luke Rodgers (CVE-2020-3719) · Djordje Marjanovic (CVE-2020-3758) ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================