Adobe has released a security update for Adobe Commerce and Magento Open Source. We encourage you to minimize risks for your customers. What choice do you have? You can update the products to the latest versions or apply a fix.
Read the post to learn more.
The October Adobe security update eliminates vulnerabilities in improper input validation, information exposure, Server-Side request forgery (SSRF), cross-site scripting (Stored XSS), etc. The released security patch by Adobe prevents malicious code execution.
Note: more information about the latest Adobe Security release can be found on the website.
In short, the main danger is an attacker who can acquire two pieces of the next information to perform the attack:
- target customer ID
- target customer email
It is threatening that the need for exact knowledge of the customer ID can be circumvented by trying every ID between 1 and [attacker_controlled_id - 1] until a 200 response is received. Depending on the number of customers in the database, this would take between a couple of seconds to a couple of minutes. So, further activity could include the placement of fraudulent orders using the customer's stored payment methods.
Good news is that you can really avoid this.
You have two options:
- You can update Adobe products to the latest versions. Then the released security update will be downloaded automatically.
- You can quickly fix the vulnerability by applying the following composer patch to your installation. You can copy it at https://gist.github.com/danslo/bb4234510eac3a3941dfde4e0580788b#composer-patch
+++ ./vendor/magento/module-customer/Plugin/Webapi/Controller/Rest/ValidateCustomerData.php 2023-09-11 17:11:34.000000000 +0200
@@ -28,8 +28,8 @@
*/
public function beforeOverride(ParamsOverrider $subject, array $inputData, array $parameters): array
{
- if (isset($inputData[self:: CUSTOMER_KEY])) {
- $inputData[self:: CUSTOMER_KEY] = $this->validateInputData($inputData[self:: CUSTOMER_KEY]);
+ if (isset($inputData[self::CUSTOMER_KEY])) {
+ $inputData[self::CUSTOMER_KEY] = $this->validateInputData($inputData[self::CUSTOMER_KEY]);
}
return [$inputData, $parameters];
}
@@ -43,9 +43,8 @@
private function validateInputData(array $inputData): array
{
$result = [];
-
$data = array_filter($inputData, function ($k) use (&$result) {
- $key = is_string($k) ? strtolower($k) : $k;
+ $key = is_string($k) ? strtolower(str_replace('_', "", $k)) : $k;
return !isset($result[$key]) && ($result[$key] = true);
}, ARRAY_FILTER_USE_KEY);
Security updates to address vulnerabilities are good practice to help you protect your Magento 2-based store.
Stay tuned to receive important information for secure, fast, and well-functioning websites.
Hi guys,
Your github link in this article displays a 404 error when opening. Can you provide the correct link?
Thank you for reporting this issue. We just updated link.