Magento has urged users of the Magento Commerce 1 and Magento Open Source 1 e-commerce platforms to apply the latest updates following the discovery of two security vulnerabilities.
The most serious, critical flaw is a PHP object injection bug that could lead to arbitrary code execution.
Both flaws require administrative privileges to execute.
‘Relatively easy to exploit’
“PHP object injection bugs are issues related to how input is dealt with and, in this case, providing (in essence) PHP code will make the server execute it,” Yonathan Klijnsma, head of threat research at RiskIQ said.
“It gives attackers the ability to run PHP code on the server, meaning they would have broad access, hence why it is classified as a critical vulnerability.
“Similar vulnerabilities have occurred in platforms such as WordPress, and come down to how input is serialised – in many cases these are relatively easy to exploit.”
In a security advisory published on Monday (June 22), Adobe said the updates would be the final security patches for the affected release line because it was discontinuing support for Magento 1 from June 2020.
The pair of vulnerabilities are present in all versions of Magento Commerce 1 (formerly Magento Enterprise Edition) and Magento Open Source 1 (previously Magento Community Edition) up to and including 184.108.40.206.
Adobe thanked Luke Rodgers for reporting the security flaws.
In a separate blog post published on Wednesday (June 24), the software giant said: “We’ve been working closely with customers, partners, and developers on transition plans through the Magento 1 [end-of-life] timeline.”
The decision to retire support for the 12-year-old release line was announced in September 2018.
According to Adobe, “thousands of merchants” have already migrated to Magento 2, which is said to be easier to maintain and support.
Merchants who haven’t yet migrated are advised to do as soon as possible.
“If you need fast solutions to launch a Magento Commerce 2 store in as little as two weeks, please contact your Magento Customer Success Manager,” Adobe said.
Retailers whose online stores continue to run on Magento 1 after June 30 end-of-life date will “have increased responsibility for maintaining [their] site’s security and PCI DSS compliance”.