CVE-2020-24407, CVE-2020-24400: Adobe Magento File Upload Allow List Bypass/SQL Injection Vulnerabilities Alert

Magento is an open-source e-commerce platform written in PHP. It uses multiple other PHP frameworks such as Laminas and Symfony. Magento source code is distributed under Open Software License v3.0. Magento was acquired by Adobe Inc in May 2018 for $1.68 Billion USD.

On October 15, 2020, Adobe Security Bulletin released a security bulletin, fixing 9 vulnerabilities in Adobe Magento components, including two critical vulnerabilities: File Upload Allow List Bypass (CVE-2020-24407) and SQL injection vulnerability (CVE-2020- 24400).

Magento data leak

“How to Find Magento Solution Partner in India” by daniel0195 is licensed under CC BY-SA 2.0

Vulnerability Detail

CVE-2020-24407: With administrative privileges, an attacker can construct malicious requests to bypass file upload restrictions (allow list), resulting in remote code execution and ultimately obtaining the highest server privileges.
CVE-2020-24400: With administrative privileges, an attacker can construct malicious requests, query the database, and gain arbitrary read or write access to the database.

Affected version

  • Magento Commerce/Open Source <= 2.3.5-p2;
  • Magento Commerce/Open Source <=2.4.0;
  • Magento Commerce/Open Source <=2.3.5-p1

Solution

At present, Adobe has released upgrade patches to fix the vulnerabilities, and affected users are requested to upgrade Magento to the latest version as soon as possible.