Connect with us

NEWS

Magento Critical Vulnerabilities Announced by Adobe via @sejournal, @martinibuster

Published

on

Adobe announced it has released a patch for Magento 2 in order to fix multiple critical vulnerabilities. Some of the vulnerabilities could allow attackers to take over administrator sessions as well as grant access to customer information.

The vulnerabilities affecting the popular Magento ecommerce platform affect both the open source and commercial versions.

According to the Magento Open Source release notes:

Thirty-three security enhancements that help close remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities

No confirmed attacks related to these issues have occurred to date.

However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions.”

Advertisement

Continue Reading Below

Vulnerabilities Patched in Magento Ecommerce Platform

Adobe announced the release of Magento 2.4.3 which contains a total of 33 security enhancements.

These security issues affect both the commercial and open source versions of Magento.

Advertisement

Commercial Magento Versions that are Affected:

  • 2.4.2 and earlier versions
  • 2.4.2-p1 and earlier versions
  • 2.3.7 and earlier versions

Open Source Magento Versions that are Affected:

  • 2.4.2-p1 and earlier versions
  • 2.3.7 and earlier versions

Advertisement

Continue Reading Below

Critical Magento Security Issues

Several of the security issues are rated critical.

Of particular note is that of the sixteen security vulnerabilities that were announced by Adobe, ten of them do not require any admin or user credentials in order to exploit Magento.

The remaining six vulnerabilities require that an attacker already have administrator level privilege.

Eleven of the vulnerabilities are rated as critical and the rest are rated as important.

Eleven Critical Vulnerabilities in Magento

While all vulnerabilities should not be disregarded, the ones rated as critical are relatively especially dangerous.

There are four kinds of vulnerabilities:

  1. Arbitrary code execution (7 vulnerabilities)
  2. Security feature bypass (2)
  3. Application denial-of-service (1)
  4. Privilege escalation (1)

Magento Arbitrary Code Execution

The Arbitrary Code Execution exploits affecting Magento consist of six kinds of attacks.

  • Improper Access Control
  • Improper Input Validation
  • Path Traversal
  • OS Command Injection
  • Server-Side Request Forgery (SSRF)
  • XML Injection (aka Blind XPath Injection)

Examples of Magento Security Feature Bypass Exploits

There are two kinds of Security Feature Bypass issues affecting Magento that are patched in Magento version 2.4.3.

  • Improper Input Validation
    This kind of issue relates to a failure to properly validate an input for dangerous for the software to process . This allows an attacker to craft an unexpected input that can lead to an arbitrary code execution.
  • Improper Authorization
    An Improper Authorization exploit is when the software fails to properly check if the user has the privilege levels person making the inputs has the proper credentials.

Advertisement

Continue Reading Below

Advertisement

A common feature of the above exploits is that they allow an attacker to gain access to sensitive locations in the software, allowing an attacker to execute arbitrary commands.

According to Adobe’s summary:

“Magento has released updates for Adobe Commerce and Magento Open Source editions. These updates resolve vulnerabilities rated critical and important. Successful exploitation could lead to arbitrary code execution.”

Magento Update Version 2.4.3

It’s safe to say that updating to the latest version of Magento is recommended to be considered. Adobe’s release notes state that there are some backward compatibility issues.

Some of the changes are released independently and can be updated in that way.

Advertisement

Continue Reading Below

Please read the full Adobe release notes in the security bulletin.

Citations

Adobe Security Bulletin

Advertisement

Magento Open Source 2.4.3 Release Notes

Adobe Commerce 2.4.3 Release Notes

Minor Backward Incompatibility Issues

Major Backward Compatibility Issues

Searchenginejournal.com

NEWS

Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster

Published

on

Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.

Google December 2021 Product Reviews Update

On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.

The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.

A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:

“Mainly relevant to sites that post articles reviewing products.

Think of sites like “best TVs under $200″.com.

Goal is to improve the quality and usefulness of reviews we show users.”

Advertisement

Advertisement

Continue Reading Below

Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.

The first best practice was a requirement of evidence that a product was actually handled and reviewed.

The second best practice was to provide links to more than one place that a user could purchase the product.

The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.

Google’s Mueller Thinking About Product Reviews Update

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Product Review Update Targets More Languages?

The person asking the question was rightly under the impression that the product review update only affected English language search results.

Advertisement

Advertisement

Continue Reading Below

But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.

This is his question:

“I was seeing some movements in German search as well.

So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.

…My question is, is it possible that the product reviews update affects other sites as well?”

John Mueller answered:

“I don’t know… like other languages?

My assumption was this was global and and across all languages.

But I don’t know what we announced in the blog post specifically.

Advertisement

But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.

I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.

But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.

And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.

So I’m not particularly surprised that you see changes in Germany.

But I also don’t know what we actually announced with regards to the locations and languages that are involved.”

Does Product Reviews Update Affect More Languages?

While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.

Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.

Advertisement

One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.

It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.

Citations

Google Blog Post About Product Reviews Update

Product reviews update and your site

Google’s New Product Reviews Guidelines

Write high quality product reviews

John Mueller Discusses If Product Reviews Update Is Global

Watch Mueller answer the question at the 14:00 Minute Mark

[embedded content]

Searchenginejournal.com

Continue Reading

DON'T MISS ANY IMPORTANT NEWS!
Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

Trending

Entireweb
en_USEnglish