Multiple Vulnerabilities in Magento CMS Could Allow for Remote Code Execution (APSB20-59)

DESCRIPTION
Multiple vulnerabilities have been discovered in Magento CMS, the most severe of which could allow for arbitrary code execution. Magento is a web-based e-commerce application written in PHP. Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

IMPACT
Multiple vulnerabilities have been discovered in Magento CMS, the most severe of which could allow for arbitrary code execution. The vulnerabilities are as follows:

    • An File Upload Allow List Bypass vulnerability could allow for Arbitrary Code Execution. (CVE-2020-24407)
    • An SQL Injection vulnerability that could allow for Arbitrary read or write access. (CVE-2020-24400)
    • Multiple Improper Authorization vulnerabilities that could allow for Unauthorized modification of customer list. (CVE-2020-24402, CVE-2020-24404, CVE-2020-24405, CVE-2020-24403)
    • An Insufficient Invalidation of User Session vulnerability could allow for Unauthorized access to restricted resources. (CVE-2020-24401)
    • An Information Disclosure vulnerability could allow for Disclosure of document root path. (CVE-2020-24406)
    • A Cross-Site Scripting vulnerability could allow for Arbitrary JavaScript execution in the browser. (CVE-2020-24408)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

SYSTEM AFFECTED
    • Magento Open Source versions prior to 2.3.6 and 2.4.1
    • Magento Commerce versions prior to 2.3.6 and 2.4.1

RECOMMENDATIONS

Following actions are recommended to be taken:
    • Apply appropriate updates provided by Magento to affected systems immediately after appropriate testing.
    • Apply the Principle of Least Privilege to all systems and services.
    • Verify no unauthorized system modifications have occurred on system before applying patch.
    • Monitor intrusion detection systems for any signs of anomalous activity.
    • Unless required, limit external network access to affected products.

REFERENCES
    • https://helpx.adobe.com/security/products/magento/apsb20-59.html
    • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24407
    • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24400
    • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24402
    • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24404
    • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24405
    • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24403
    • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24401
    • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24406
    • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24408
    • https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-magento-cms-could-allow-for-remote-code-execution-apsb20-59_2020-142/