Updates released by Adobe on Tuesday for the Magento Commerce and Open Source editions address multiple critical severity vulnerabilities that could lead to arbitrary code execution.
A total of six critical vulnerabilities were patched in the popular e-commerce platform, none of which requires authentication for a successful exploitation. All of them could be exploited to execute code on vulnerable systems.
These vulnerabilities include four command injection bugs (tracked as CVE-2020-9576, CVE-2020-9578, CVE-2020-9582, and CVE-2020-9583), and two security mitigation bypass flaws (tracked as CVE-2020-9579 and CVE-2020-9580).
The new Magento updates also include patches for four vulnerabilities considered important. Three of these (CVE-2020-9577, CVE-2020-9581, and CVE-2020-9584) are stored Cross-Site Scripting (XSS) flaws leading to sensitive information disclosure, while the fourth (CVE-2020-9588) is an Observable Timing Discrepancy bug leading to signature verification bypass.
Additionally, Adobe released patches for three moderate severity vulnerabilities. These include two defense-in-depth security mitigation issues (CVE-2020-9585 and CVE-2020-9591) that could lead to code execution and unauthorized access to the admin panel, respectively, and an authorization bypass issue (CVE-2020-9587) leading to potentially unauthorized product discounts.
The bugs were addressed with the release of Magento Commerce and Magento Open Source 2.3.4-p2 and 2.3.5-p1, Magento Enterprise Edition 188.8.131.52, and Magento Community Edition 184.108.40.206.
This week, Adobe also released patches for vulnerabilities in Bridge and Illustrator products, including many that have a critical severity rating.
Related: Adobe Patches 22 Vulnerabilities in Bridge, Illustrator
Related: Magento 2.3.4 Patches Critical Code Execution Vulnerabilities
Related: Hackers Accessed Magento Marketplace User Data