• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Jobs
  • Career
    • Cyber Security Training
    • Work from Home
    • Cyber Security Analyst
    • Remote Work – Six Ways to Keep Your Data Safe When Working Remotely
  • Field Guide
  • Newsletter Signup
  • Deals
  • News
AskCyberSecurity.com

AskCyberSecurity.com

Cyber Security News & Information

  • Home
  • Data Privacy
    • Gamers
    • Government Cyber Security
      • Legislation
      • Standards
        • What are the risks of computer security?
        • Medical Cyber Security
    • Social Media
  • Security
    • Data Breaches
    • Scams
    • Malware
  • Software
    • Apps
    • Web Browsers
  • Glossary
    • Cyber Security Acronyms
  • About Ask Cyber Security
    • Authors
    • Contact Us
  • VPN
    • How Do I Know If My VPN is Working?
    • Best Free VPN iPhone
    • Why Use a VPN?
    • NordVPN vs IPVanish
    • Private Internet Access Download
    • Best VPN for Streaming
      • TikTok VPN
    • VPN Porn
    • Computer Security Software – What You Really Need
  • Tutorials
  • ChatGPT
    • Does ChatGPT Save Data?
AskCyber Home » News » News » Magento Security Update Fixes Critical Flaw

Magento Security Update Fixes Critical Flaw

2020-07-28 by Michelle Dvorak

Magento MageCart

Magento e-Commerce sites get security updates for severe code execution bugs

A critical vulnerability in Magento e-Commerce platform can allow for arbitrary code execution when exploited by threat actors. Adobe released security updates today to fix three security flaws affecting Magento Commerce and Magento Open Source.

Affected software includes versions 2.3.5-p1 and earlier of both Magento Commerce and Magento Open Source.

Store owners with impacted Magento sites should upgrade to Magneto 2.4.0 or upgrade to Magento Commerce or Magento Open Source 2.3.5-p2.

The first flaw is critical and tracked as CVE-2020-9689 in the national database of Common Vulnerabilities and Exposures. It can allow threat actors to run arbitrary computer code on the server when exploited. The security flaw is still listed as reserved in the CVE database and further details will become available when enough sites have been updated and secured.

The other two security bugs, CVE-2020-9690 and CVE-2020-9691, are listed as important. CVE-2020-9690 can allow signature verification bypass and CVE-2020-9691 can also allow arbitrary cod execution.

Currently, there are no known attacks that exploit any of these three security bugs.

Security Risks for Magento Sites

Magento stores that are not kept up to date with the latest security patches are vulnerable to malware and other attacks used by threat actors. Malicious computer JavaScript is used in attacks known as MageCart attacks to compromise a Magento websites and exfiltrate customer payment card numbers and sensitive data.

The Federal Bureau of Investigations (FBI) has warned governmental agencies and businesses to defend against MageCart attacks in and encourages e-Commerce site owners to keep their stores updated with security patches.

MageCart Attacks

MageCart attacks steal payment information from Magento e-Commerce sites. Threat actors inject malicious computer code and use it to steal payment card information from shoppers as they move through an online checkout. Neither the Magento website owner nor the customer is aware that the threat actors are stealing payment cards. MageCart malware is in use by a number of hacking organizations.

Hackers infect a website with MageCart malware by exploiting security bugs or by compromising third-party vendors or website integrations when they are not kept up to date.

Websites belonging to jewelry retailer Claire’s and its subsidiary Icing were attacked by MageCart malware from April 30 and June 13 of this year. Earlier this month, a North Korean advanced persistent threat group, called Lazarus Group, was found to be attacking major online retailers with MageCart. The attacks started approximately in May 2019.

Credit card skimming can impact any e-Commerce website as well as physical point-of-sale (POS) terminals at retail locations.

Credit card skimming isn’t the only kind of cyber attack that can impact an e-Commerce website. Threat actors can attack any server with the type of cyber attack known as a distributed denial of service, or DDoS attack. In this attack, attackers flood a server with many requests for information. The server begins to respond slowly or possibly becomes disabled because it was not designed to handle so much work. For example, the DDoS attack may use malicious computer code and a botnet and request web pages at the rate of thousands per second. This would result in a high server workload that would render a website slow and unable to serve webpages to human visitors.

Magento 1 Sunset

The first generation of Magento software, Magento 1.X, reached its end of life on June 30, 2020. All versions Magento prior to version 2.0 are sunsetted, meaning there will be no more security patches or upgrades. Although stores running Magento 1.X will continue to run for now, they can become incompatible with addons and third-party integrations.

Filed Under: News Tagged With: MageCart

About Michelle Dvorak

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers


LinkedInTwitterFacebook

Primary Sidebar

Subscribe to Our Free Newsletter

We Don't Share or Sell Your Info

Web Browsers

Where Are My Saved Passwords in Chrome?

Google Removes 70 Malicious Browser Add-ons from Chrome Web Store

Firefox 75 Reports Your Browser Settings to Mozilla

Categories

Cyber Security Field Guide

Computer Security While TravelingGet Our Cyber Security Field Guide - Available on Amazon!

Recent Posts

Security Marketing Manager – Remote

Sr. Associate, Cybersecurity Architect – Pfizer

Strategic Customer Success Manager – Cybersecurity – Opportunity for Working Remotely

Top 20 Passwords Leaked on Dark Web

ISU Cybersecurity Leader Job Opening

Cyber Security News

Top 20 Passwords Leaked on Dark Web

… [Read More...] about Top 20 Passwords Leaked on Dark Web

Apple Warns of Actively Exploited Zero-Day Flaw

… [Read More...] about Apple Warns of Actively Exploited Zero-Day Flaw

IRS Stops Facial Recognition System for Online Access

… [Read More...] about IRS Stops Facial Recognition System for Online Access

National Cybersecurity Alliance Announces Data Privacy Week

… [Read More...] about National Cybersecurity Alliance Announces Data Privacy Week

More Cyber Security News

Tags

amazon Android Apple bitcoin China chrome CISA credit card DarkSide DHS DOJ Equifax Europe Facebook facial recognition FBI Firefox FTC games GDPR Google Government hacker identity theft India iPhone Iran IRS LinkedIn Microsoft North Korea PayPal phishing phishing email ransomware REvil Russia smartphone T-Mobile TikTok tutorial VPN WhatsApp WiFi Windows

Government

CBP Looks to Access Airline Passenger Data

FTC Releases Cyber Threat Video Playlist

Malware Found on US Government Funded Phones

UK NCA Reaches Out to Youth to Deter Cybercrimes

More Posts from this Category

Footer

Menu

  • Home
  • About
  • Authors
  • Newsletter Signup
  • PRIVACY POLICY

Search

Why Use a VPN?

NordVPN vs IPVanish VPN Review

NAVIGATION

  • Data Breaches
  • Data Privacy
  • Gamers
  • Scams
  • Malware

MEMBER NJCCIC

New Jersey Cybersecurity & Communications Integration Cell

STAY CONNECTED

  • Facebook
  • Instagram
  • Pinterest
  • YouTube
  • Twitter
  • RSS

Copyright © 2023 · AskCyberSecurity.com · METRONY, LLC

Go to mobile version