Magento 2.3.4 was released this week with patches for six vulnerabilities, including three that are considered critical.
The first of these severe security issues is related to deserialization of untrusted data. Tracked as CVE-2020-3716, the bug could lead to arbitrary code execution.
Another critical flaw that could allow for the execution of arbitrary code is CVE-2020-3718, which Adobe describes as a security bypass issue.
The third critical vulnerability addressed in this release is an SQL injection that could lead to the disclosure of sensitive information, and which is tracked as CVE-2020-3719.
All of the remaining three vulnerabilities patched in Magento 2.3.4 are considered important and all three could result in the disclosure of sensitive information.
Tracked as CVE-2020-3715 and CVE-2020-3758, the first two are stored cross-site scripting (XSS) flaws, while the third one is a path traversal with the CVE number CVE-2020-3717.
These vulnerabilities were found to impact both Magento Commerce and Magento Open Source, versions 2.3.3 and earlier and 2.2.10 and earlier, as well as Magento Enterprise Edition 1.14.4.3 and earlier, and Magento Community Edition 1.9.4.3 and earlier.
With the previous quarterly release, Adobe also introduced security-only patches, which allow merchants to install time-sensitive vulnerability fixes without having to apply all of the functional patches and enhancements that are normally included in a full quarterly release.
Thus, fixes for the vulnerabilities that have been identified in Magento 2.3.3 were included in Patch 2.3.3.1 (Composer package 2.3.3-p1), a security-only patch that also includes all the hotfixes applied to the 2.3.3 release.
“Security-only patches include only security bug fixes, not th ..
Support the originator by clicking the read the rest link below.
