High
CVE-2020-9588
Adobe Magento Commerce and Open Source editions could allow a remote authenticated attacker to bypass security restrictions, caused by an observable timing discrepancy. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to bypass the signature verification.
CVE-2020-9587
Adobe Magento Commerce and Open Source editions could allow a remote attacker to bypass security restrictions, caused by a defense-in-depth security mitigation vulnerability. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to gain unauthorized access to product discounts.
CVE-2020-9591
Adobe Magento Commerce and Open Source editions could allow a remote authenticated attacker to bypass security restrictions, caused by a defense-in-depth security mitigation vulnerability. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to gain unauthorized access to the admin panel.
CVE-2020-9585
Adobe Magento Commerce and Open Source editions could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a defense-in-depth security mitigation vulnerability. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.
CVE-2020-9584
Adobe Magento Commerce and Open Source editions is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2020-9583
Adobe Magento Commerce and Open Source editions could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a command injection vulnerability. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.
CVE-2020-9582
Adobe Magento Commerce and Open Source editions could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a command injection vulnerability. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.
CVE-2020-9581
Adobe Magento Commerce and Open Source editions is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2020-9580
Adobe Magento Commerce and Open Source editions could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a security mitigation bypass vulnerability. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.
CVE-2020-9579
Adobe Magento Commerce and Open Source editions could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a security mitigation bypass vulnerability. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.
CVE-2020-9578
Adobe Magento Commerce and Open Source editions could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a command injection vulnerability. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.
CVE-2020-9577
Adobe Magento Commerce and Open Source editions is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2020-9576
Adobe Magento Commerce and Open Source editions could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a command injection vulnerability. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.
Adobe
Refer to Adobe Security Bulletin APSB20-22 for upgraded patch.
https://helpx.adobe.com/security/products/magento/apsb20-22.html