Adobe Releases Critical Security Updates for Magento

As part of its August 2021 Patch Tuesday, Adobe has rolled out fixes for its e-commerce platform, Magento. These updates address 26 vulnerabilities, 20 of which have been rated as critical. On successful exploitation, most of these vulnerabilities could lead to arbitrary code execution. Apart from Magento, Adobe also released security updates for its conferencing software, Connect. The updates for Connect fix 3 security flaws rated as important and could lead to arbitrary code execution. All this can be done using a vulnerability management tool.

Adobe Magento is an open-source e-commerce platform best known for its speed, scalability, and customization. As of last year, Magento accounted for about 12% of the global e-commerce sites. Adobe Connect is a powerful and flexible conferencing application and provides online training, webinars, and collaboration facilities. Moreover, a patch management solution can patch these vulnerabilities.

A summary of the vulnerabilities is given below. Note that none of these vulnerabilities are being exploited in the wild.

Affected Versions:
Magento Commerce: versions 2.4.2 and earlier, 2.4.2-p1 and earlier, 2.3.7 and earlier
Magento Open Source: 2.4.2-p1 and earlier versions, 2.3.7 and earlier versions

1. CVEs: CVE-2021-36021, CVE-2021-36024, CVE-2021-36025, CVE-2021-36034, CVE-2021-36035, CVE-2021-36040, CVE-2021-36041, and CVE-2021-36042Severity: CriticalVulnerability: Improper Input ValidationImpact: Arbitrary Code Execution

2. CVEs: CVE-2021-36022 and CVE-2021-36023Severity: CriticalVulnerability: OS Command InjectionImpact: Arbitrary Code Execution

3. CVEs: CVE-2021-36028, CVE-2021-36033 and CVE-2021-36020Severity: CriticalVulnerability: XML InjectionImpact: Arbitrary Code Execution

4. CVEs: CVE-2021-36036Severity: CriticalVulnerability: Improper Access ControlImpact: Arbitrary Code Execution

5. CVEs: CVE-2021-36029Severity: CriticalVulnerability: Improper AuthorizationImpact: Security Feature Bypass

6. CVEs: CVE-2021-36032Severity: CriticalVulnerability: Improper Input ValidationImpact: Privilege Escalation

7. CVEs: CVE-2021-36043Severity: CriticalVulnerability: Server-Side Request ForgeryImpact: Arbitrary Code Execution

8. CVEs: CVE-2021-36044Severity: CriticalVulnerability: Improper Input ValidationImpact: Application Denial-of-Service

9. CVEs: CVE-2021-36030Severity: CriticalVulnerability: Improper Input ValidationImpact: Security Feature Bypass

10. CVEs: CVE-2021-36031Severity: CriticalVulnerability: Path TraversalImpact: Arbitrary Code Execution

11. CVEs: CVE-2021-36012Severity: ImportantVulnerability: Business Logic ErrorsImpact: Security Feature Bypass

12. CVEs: CVE-2021-36026 and CVE-2021-36027Severity: ImportantVulnerability: Cross-site ScriptingImpact: Arbitrary Code Execution

13. CVEs: CVE-2021-36037Severity: ImportantVulnerability: Improper AuthorizationImpact: Security Feature Bypass

14. CVEs: CVE-2021-36038Severity: ImportantVulnerability: Incorrect AuthorizationImpact: Security Feature Bypass

15. CVEs: CVE-2021-36039Severity: ImportantVulnerability: Improper Input ValidationImpact: Arbitrary file system read

Affected Versions:
Adobe Connect: 11.2.2 and earlier versions

CVEs: CVE-2021-36061Severity: ImportantVulnerability: Violation of Secure Design PrinciplesImpact: Security Feature Bypass

CVEs: CVE-2021-36062 and CVE-2021-36063Severity: CriticalVulnerability: Cross-site ScriptingImpact: Arbitrary Code Execution

SanerNow VM detects these vulnerabilities. We strongly recommend applying the security updates for all vulnerabilities on high priority.