Adobe has pushed out security updates fixing critical flaws in Magento Commerce, Open Source Enterprise and Community editions, Adobe Illustrator 2020 for Windows, and Adobe Bridge for Windows.
Magento security update
According to the security bulletin published on Tuesday, thirteen flaws in all have been reported, all but one affecting all supported versions of Magento, the popular e-commerce platform.
Six of the Magento vulnerabilities are deemed critical: they are either command injection or security mitigation bypass flaws, and could be exploited to achieve arbitrary code execution by unauthenticated, remote attackers.
The rest are less severe and could lead to sensitive information disclosure, arbitrary code execution, unauthorized access to admin panel (only on Magento 1 versions), signature verification bypass, and potentially unauthorized product discounts.
Admins are advised to upgrade their installations to one of the fixed versions soon (within 30 days):
- Magento Commerce (2.3.4-p2 Commerce or 2.3.5 Commerce)
- Magento Open Source (2.3.4-p2 Open Source or 2.3.5 Open Source)
- Magento Enterprise Edition 184.108.40.206
- Magento Community Edition 220.127.116.11
Adobe Illustrator and Bridge vulnerabilities
The Adobe Illustrator vector graphics editor has been updated to close five critical memory corruption vulnerabilities that could be exploited for arbitrary code execution.
The security holes affect Illustrator 2020 versions 24.0.2 and earlier on Windows, and have been plugged in version 24.1.2.
Versions 10.0.1 and earlier of the digital asset management application Adobe Bridge for Windows sport seventeen vulnerabilities, fourteen of which are critical. Users are advised to upgrade to version 10.0.4.
The Magento update is considered more important than those for Illustrator and Bridge, mainly because the latter have, historically, not been a target for attackers. Magento, on the other hand, is famously and continuously targeted by Magecart attackers.