Vulnerabilities that are classified as “Important” to “Critical” are hidden in several versions of the Magento e-commerce platform. Remote attackers could use them, among other things, to execute arbitrary program code and to attack sensitive data. The company Adobe, from which Magento was bought last year, has provided updates that users should import in a timely manner.
Adobe’s Security Advisory on the six vulnerabilities CVE-2020-3715, CVE-2020-3716, CVE-2020-3717, CVE-2020-3718, CVE-2020-3719, CVE-2020-3758 mentions as attack options among others (Stored- ) Cross-site scripting, SQL injection and path traversal attacks.
According to Adobe, all versions of Magento Commerce and Open Source up to and including 2.2.10 and 2.3.3, all versions of Magento Enterprise Edition up to and including 126.96.36.199 and all versions of the Community Edition up to and including 188.8.131.52 are vulnerable. Links to the secured versions can be found in the Security Advisory.