Security Updates Available for Magento | APSB20-41
Bulletin ID Date Published Priority
ASPB20-41 June 22, 2020       2

Summary

Magento has released updates for Magento Commerce 1 and Magento Open Source 1. These updates resolve vulnerabilities rated Important and Critical .  Successful exploitation could lead to arbitrary code execution.    

Support for Magento Commerce 1.14 and Magento Open Source 1  is ending in June 2020.  This will be the final security patches available for these editions.   

Note:

Magento Commerce 1 is formerly known as Magento Enterprise Edition, and Magento Open Source 1 is formerly known as Magento Community Edition.

Affected Versions

Product Version Platform
Magento Commerce 1
1.14.4.5 and earlier versions 
All
Magento Open Source 1
1.9.4.5 and earlier versions
All

Note:

These vulnerabilities do not impact Magento Commerce or Magento Open Source. 

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Version Platform Priority Rating Availability
Magento Commerce 1  
SUPEE-11346 All
2
My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security
Magento Open Source 1    
SUPEE-11346 All
2
Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section

Vulnerability details

Vulnerability Category Vulnerability Impact Severity Pre-authentication? Admin privileges required?

Magento Bug ID CVE numbers
PHP Object Injection Arbitrary code execution Critical No Yes PRODSECBUG-2758 CVE-2020-9664
Stored cross-site scripting Sensitive information disclosure Important No Yes PRODSECBUG-2759 CVE-2020-9665

Note:

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Acknowledgments

Adobe would like to thank Luke Rodgers for reporting these issues and for working with Adobe to help protect our customers.