Magento users stay alert – 24th Jun 2020

Background: Magento is an e-commerce platform written in PHP atop the zend-framework, available under both open-source and commercial licenses. It is written in an advanced object-oriented idiom that uses the MVC pattern and XML configuration files, aiming for flexibility and extensibility.

Vulnerabilities announced this week – Hints
Vendor have the right to remain vulnerability details and not disclose to public. And therefore we only obtain below information.

PHP Object Injection – Arbitrary code execution (Critical) – CVE-2020-9663

Stores cross-site scripting – Sensitive information disclosure (Important) – CVE-2020-9665

Please refer to attached diagram. Perhaps it will let you find out the root causes.

Official announcement:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.