Magento Commerce and Open Source update published by Adobe on Monday fix several critical vulnerabilities that could lead to the execution of arbitrary code.
In the popular e-commerce platform, a total of six crucial vulnerabilities have been patched, none of which needs authentication for efficient exploitation. They can all be used to execute code on compromised systems.
These vulnerabilities include four bugs (monitored as CVE-2020-9576, CVE-2020-9578, CVE-2020-9582, and CVE-2020-9583), while two bugs (observed as both CVE-2020-9579 and CVE-2020-9580) are tracked.
The latest updates to Magento also include patches for four significant vulnerabilities. Three of these (CVE-2020-9577, CVE-2020-9581, and CVE-2020-9584) are Cross-Site Scripting (XSS) defects that result in sensitive data disclosure, and the fourth is an Observable Timing Discrepancy Error that causes the verification of signatures to bypass.
Also, Adobe issued patches for three vulnerabilities of mild severity. The issues include two defense-in-depth vulnerability mitigation problems (CVE-2020-9585 and CVE-2020-9591) with code execution and unauthorized access to the admin screen, and a bypass permission issue (CVE-2020-9587).
The vulnerabilities were fixed with the Magento Commerce and Magento Open Source updates of 2.3.4-p2 and 2.3.5-p1, 22.214.171.124, and 126.96.36.199.
This week Adobe also released patches for Bridge and Illustrator product vulnerabilities, many of them critically dangerous.