Adobe has released security updates to address vulnerabilities in Magento Commerce 1 and Magento Open Source 1. The company also warned that older Magento 1.x versions will be end of life (EOL) and no longer get software support after this patch update.
An attacker could exploit one of these vulnerabilities to take control of impacted systems.
The Adobe Magento update APSB20-41 includes a fix for one Critical PHP Object Injection vulnerability CVE-2020-9664 that could lead to arbitrary code execution.
In addition, Adobe patched an Important Stored cross-site scripting (XSS) vulnerability CVE-2020-9665 in Magento that could result in sensitive information disclosure.
Adobe also warned this will be the last update for certain older versions of Magento:
“Support for Magento Commerce 1.14 and Magento Open Source 1 is ending in June 2020. This will be the final security patches available for these editions.”Adobe
Readers may also recall earlier this year when Visa urged merchants to upgrade Magento 1 ecommerce websites to 2.x before the end of June 2020.
Visa explained that failure to migrate Magento 1 ecommerce websites will result in merchants to fall out of the Payment Card Industry Data Security Standard (PCI-DSS).
Merchants can reference Magento’s Software Lifecycle Policy to help in the upgrade process to Magento 2.3.