Adobe issued an out-of-band security advisory and issued patches for six vulnerabilities, three critical, in its Magento Commerce and Open Source products.
The Adobe products affected are Commerce 2.3.3, Open Source 2.3.3, Enterprise Edition 220.127.116.11 and Community Edition 18.104.22.168.
The three critical vulnerabilities are CVE-2020-3716, CVE-2020-3718 and CVE-2020-3719. The first two, respectively, have a deserialization of untrusted data and security bypass flaws that can lead to arbitrary code execution. The final issue is a SQI injection that if exploited could lead to sensitive information disclosure.
The remaining vulnerabilities, CVE-2020-3715, CVE-2020-3758 and CVE-2020-3717, also can lead to sensitive information disclosure if exploited by an attacker. The first two are stored cross-site scripting issues and the last deals with a path traversal flaw.
Adobe is recommending users update to the latest version of the software.