Adobe issued an out-of-band security advisory and issued patches for six vulnerabilities, three critical, in its Magento Commerce and Open Source products.
The Adobe products affected are Commerce 2.3.3, Open Source 2.3.3, Enterprise Edition 188.8.131.52 and Community Edition 184.108.40.206.
The three critical vulnerabilities are CVE-2020-3716, CVE-2020-3718 and CVE-2020-3719. The first two, respectively, have deserialization of untrusted data and security bypass flaws that can lead to arbitrary code execution. The final issue is an SQI injection that if exploited could lead to sensitive information disclosure.
Recommended Reading: Microsoft patches IE vulnerability being exploited in the wild
The remaining vulnerabilities, CVE-2020-3715, CVE-2020-3758, and CVE-2020-3717, also can lead to sensitive information disclosure if exploited by an attacker. The first two are stored cross-site scripting issues and the last deals with a path traversal flaw.
Adobe is recommending users update to the latest version of the software.