Running an online store with Adobe Commerce? Two critical vulnerabilities – CVE-2024-20719 and CVE-2024-20720 – demand immediate attention. These vulnerabilities could allow attackers to compromise your system, putting your business and customer data at risk. Let’s understand the threats and the crucial steps you must take to protect yourself.

 

Understanding the Dangers:

Think of these vulnerabilities as hidden backdoors in your store’s security wall. Attackers could exploit them to:

• Steal sensitive data: Customer information, financial details, and product data are all vulnerable.
• Disrupt operations: Attackers can tamper with software, corrupt files, or even shut down your website.
• Gain unauthorized access: Once inside, they can move laterally, potentially infiltrating other connected systems.

 

 Technical Overview:

• CVE-2024-20719: This vulnerability involves improper input validation, allowing attackers to inject malicious code through seemingly harmless inputs. Think of it as giving someone a poisoned gift: they can use it to harm you unknowingly.

Let’s delve into the technical details of CVE-2024-20719.

• Vulnerability Description:

• • CVE ID: CVE-2024-20719
  • Affected Software: Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6, and earlier.
  • Vulnerability Type: Stored Cross-Site Scripting (XSS)
  • Impact: An admin attacker can inject malicious scripts into every admin page.
  • Exploit Scenario: When a victim browses to a page containing the vulnerable field, malicious JavaScript may execute in their browser, potentially granting the attacker admin access.

• Severity:

• • CVSS Base Score: 9.1 (Critical)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Explanation:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Changed
    • Confidentiality: High
    • Integrity: High
    • Availability: High

• Mitigation:

• • Adobe has released security updates to address this vulnerability. Ensure you update your Adobe Commerce installation to a non-vulnerable version.

For more details, refer to the Adobe Security Bulletin.

 

• CVE-2024-20720: This vulnerability involves improper access control, acting like a broken lock on your store’s door. Attackers can bypass security measures and gain unauthorized access to areas they shouldn’t be in.

 

Let’s delve into the technical details of CVE-2024-20720, a vulnerability affecting Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, and 2.4.4-p6, as well as earlier versions. Here’s what you need to know:

1. Vulnerability Description:
   • Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
   • This vulnerability allows an attacker to inject malicious commands into the system, potentially leading to arbitrary code execution.
   • Successful exploitation could allow the attacker to execute arbitrary code with the privileges of the affected application.
2. Severity:
   • Critical
   • The impact of this vulnerability is severe, as it enables arbitrary code execution.
3. Affected Versions:
   • Adobe Commerce:
     • Versions 2.4.6-p3 and earlier
     • Versions 2.4.5-p5 and earlier
     • Versions 2.4.4-p6 and earlier

 

4. Mitigation:
   • Adobe has released security updates to address this vulnerability. Users are strongly advised to update their installations to the following versions:
     • Adobe Commerce: 4.6-p4, 2.4.5-p6, 2.4.4-p7, and corresponding versions for earlier releases.
     • Magento Open Source: 4.6-p4 and corresponding versions for earlier releases.

5. CVSS Base Score:
   • 1 (out of 10)
   • This score reflects the severity of the vulnerability.
6. Exploit Requirements:
   • Authentication required: Yes
   • Exploit requires admin privileges: Yes

For more detailed information, you can refer to the official Adobe Security Bulletin.

Mitigations Commonly for Both :

 

Taking Action: Protect Your Store:

While I can’t share specific exploitation details, here are crucial steps to protect your Adobe Commerce store:

1. Upgrade Immediately: This is the most critical action. Patch to the latest version (2.4.7-p1 or later) without delay. This patch closes the back doors, leaving attackers locked out.
2. Disable Unaffected Functionality (If Necessary): If immediate upgrade isn’t possible, explore temporarily disabling functionalities vulnerable to these specific exploits. Remember, this is a temporary solution; prioritize upgrading ASAP.
3. Strengthen Security: Enforce strong passwords, implement Multi-Factor Authentication (MFA), and keep software updated across your entire system. Think of these as additional layers of security around your store.
4. Stay Informed: Regularly check for security updates from Adobe and follow advisories from trusted cybersecurity sources. Knowledge is power in the fight against cyber threats.
5. Report Suspicious Activity: If you suspect a compromise, report it immediately to Adobe and relevant authorities. Prompt action can minimize damage and help catch attackers.

Remember:

• Security is an ongoing process. Stay vigilant and proactive with updates and best practices.
• While understanding technical details is helpful, prioritize understanding the impacts and action steps.
• This information is for awareness and shouldn’t replace professional security advice.

 

Additional Resources:

• Adobe Security Bulletin:   https://helpx.adobe.com/security/products/magento/apsb24-03.html
• National Vulnerability Database (NVD):
• • CVE-2024-20719: https://nvd.nist.gov/vuln/detail/CVE-2024-20719
  • CVE-2024-20720: https://nvd.nist.gov/vuln/detail/CVE-2024-20720
  • https://www.cvedetails.com/cve/CVE-2024-20719/
  • https://www.cvedetails.com/cve/CVE-2024-20720/