CVE-2025-4497 code-projects Simple Banking System Sign In buffer overflow
CVE-2025-2944 Jeg Elementor Kit <= 2.6.12 - Authenticated (Contributor+) S
CVE-2025-4496 TOTOLINK T10/A3100R/A950RG/A800R/N600R/A3000RU/A810R cstecgi
CVE-2025-4495 JAdmin-JAVA JAdmin save cross site scripting
CVE-2025-3794 WPForms Lite <= 1.9.5 - Authenticated (Contributor+) Stored
CVE-2025-4494 JAdmin-JAVA JAdmin Admin Backend NoNeedLoginController.java
CVE-2025-4492 Campcodes Online Food Ordering System ticket-message.php sql
CVE-2025-4491 Campcodes Online Food Ordering System ticket-status.php sql
CVE-2025-4490 Campcodes Online Food Ordering System view-ticket-admin.php
CVE-2025-4447 Buffer Overflow in Eclipse OpenJ9
News

Adobe Commerce and Magento Open Source Update Addresses Critical Security Risks

Giulio Saggin
Giulio Saggin
Monday 4 December 2023
Adobe Commerce and Magento Open Source Update Addresses Critical Security Risks
Adobe Commerce

Adobe has released a security update for Adobe Commerce and Magento Open Source, addressing critical and significant vulnerabilities. The update addresses potential exploits that, if successfully manipulated, could lead to arbitrary code execution, privilege escalation, arbitrary file system read, security feature bypass, and application denial-of-service.

The affected versions encompass various release lines of Adobe Commerce and Magento Open Source:

  • Adobe Commerce: Versions ranging from 2.3.7-p4-ext-4 and earlier to 2.4.7-beta1 and earlier.

  • Magento Open Source: Versions ranging from 2.4.4-p5 and earlier to 2.4.7-beta1 and earlier.

Note: Some versions are exclusively applicable to customers in the Extended Support Program.

Adobe recommends immediate updates to the following versions for respective platforms:

  • Adobe Commerce: Versions 2.4.7-beta2, 2.4.6-p3, 2.4.5-p5, 2.4.4-p6, and more.

  • Magento Open Source: Versions 2.4.7-beta2, 2.4.6-p3, 2.4.5-p5, 2.4.4-p6, and earlier.

Note: Version specifics are available in the release notes for 2.4.x.

The security update addresses critical vulnerabilities categorized by vulnerability impact and severity, including:

  • Improper Input Validation (CWE-20): Leading to privilege escalation (CVE-2023-38218).

  • Cross-site Scripting (Stored XSS) (CWE-79): Allowing privilege escalation (CVE-2023-38219).

  • Improper Authorization (CWE-285): Resulting in security feature bypass (CVE-2023-38220).

  • SQL Injection (CWE-89): Enabling arbitrary code execution (multiple CVEs: 2023-38221, 2023-38249, 2023-38250).

  • Information Exposure (CWE-200): Facilitating arbitrary code execution (CVE-2023-26367).

  • Uncontrolled Resource Consumption (CWE-400): Leading to application denial-of-service (CVE-2023-38251).

  • Server-Side Request Forgery (SSRF) (CWE-918): Allowing arbitrary file system read (CVE-2023-26366).

Additionally, the update addresses dependency vulnerabilities, notably CVE-2021-41182 in jQuery affecting specific versions of Adobe Commerce.

Given the critical nature of these vulnerabilities, users are strongly urged to update their installations promptly. Failure to do so could leave systems exposed to potential exploitation.

More info can be found at the Abode Security Bulletin.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Top Stories

Features

What is PCI DSS Requirement 6.1?

What is PCI DSS Requirement 6.1?

There are 12 PCI DSS Requirements that need to be met to attain PCI compliance. One of those, Requirement 6, ensures that an entity has its software protected by up-to-date "vendor-provided security patches".

What is PCI DSS Requirement 6?

What is PCI DSS Requirement 6?

The official explanation of PCI DSS Requirement 6 is summed up as "Develop and maintain secure systems and applications". In other words, an entity attaining PCI compliance needs to have its software protected by up-to-date "vendor-provided security patches".

What is an Approved Scanning Vendor (ASV)?

What is an Approved Scanning Vendor (ASV)?

Discover the Complexities Behind PCI Compliance: Unraveling the Critical Role of External Scans, Internal Vulnerability Checks, and the Cruciality of Requirement 6.1 in Cybersecurity. Explore how ASVs and Services like SecAlerts Play Key Roles in This Compliance Puzzle!

What is a zero-day?

What is a zero-day?

A zero-day refers to a vulnerability in software or hardware that is unknown to the vendor or the public. It's called "zero-day" because once it's discovered, attackers can exploit it immediately, leaving zero days for the vendor to fix it.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203