In early 2024, the report by Sansec disclosed a vulnerability called CVE-2024-20720 that affects the Magento Open Source and Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier versions. This vulnerability, referred to as ‘XML backdoor,’ permits the injection of covert programs and commands which enables a high level of access and control over the online audience’s store. Although the vulnerability was corrected by Adobe in February 2024, stores using older versions that remain unpatched are at risk. This blog post provides details about the vulnerability, its consequences, and measures to be taken to safeguard Magento stores. Working with a Magento SEO agency can help ensure your site remains secure and optimized for search engines.
Key Vulnerability Details:
- Impact: Arbitrary code execution.
- Severity: Critical.
- Authentication Required: Yes.
- Admin Privileges Required: Yes.
- CVSS Base Score: 9.1 (High).
The XML Backdoor Explained:
CVE-2024-20720 is an OS Command Injection vulnerability that is found in the core XML processing functions of the Magento application. The use of this vulnerability allows the attackers to create malicious XML codes that execute certain commands when the checkout cart is accessed. Worryingly, this code is also self-replicating, thus allowing it to remain even when it is removed after infection. Although an Amasty module is used in related exploits, it is important to note that the core problem is not in the extension but in the core design of the Magento platform. The module was simply exploited as a host for the infection. Enlisting Magento 2 developer assistance can be invaluable in understanding and addressing this complex issue.
Protecting Your Magento Store:
Protecting your store requires immediate action. Follow these steps to mitigate the risk posed by CVE-2024-20720:
1. Check Your Magento Version:
- Determine your current Magento version through your Admin Panel (footer) or via the command line (using php bin/magento –version). If your version predates the February 2024 patch (2.4.6-p4, 2.4.5-p6, or 2.4.4-p7), your store is vulnerable and requires immediate attention.
2. Update Magento Core:
- Magento 2 Website Development Service: For a seamless and reliable update, consider engaging a professional Magento 2 website development service. Experts can handle the complexities of the update process, minimizing downtime and ensuring a secure transition.
- Manual Update: You may proceed to update your Magento installation yourself but this should be done only if you have the relevant skills. Refer to current best practices available in the official Magento documentation. Backing up of a store should also be observed before such updates.
- Security Patch Installation: For those clients who can’t undertake a full upgrade immediately, make sure that the relevant patches, especially the one out right now in February 2024, are installed. This is to ensure that there is timely protection against the XML backdoor vulnerability. There are also professional services for patch installation which guarantee the correct and accurate application of patches. Following the Magento 2 security practices is so very critical.
3. Test Your Store Post-Update:
- This is followed by testing the store that has had an update or one where patches have been installed: In this case, the functioning of the most important parts of the store (the checkout process, product details pages, the control panel, etc.) should be tested first. Eliminate the problem and seek assistance from Magento’s troubleshooting resources in case you experience any with the system.
Consequences of Inaction:
Failure to address this security flaw puts your shop at extreme risk. These include;
- Unauthorized Access: Assailants may seize control of your store, alter information, and execute orders fraudulently.
- Data Breaches: Customer’s private details and payment particulars may be lost or accessed illegally, which can lead to court cases and loss of a good name.
- Loss of Customer Trust: Security deficiencies lead to a loss of customer trust and/or loyalty, which endangers the business’s future success.
Need Help Securing Your Magento Store?
Icecube Digital specializes in providing cutting-edge digital marketing services, including robust and secure Magento development. Our team of experienced Magento 2 developers can help you navigate the complexities of Magento security, ensuring your store is protected against vulnerabilities like CVE-2024-20720.
Contact Icecube Digital today for a free consultation and learn how we can help fortify your Magento store against current and future threats.