Magento Core vulnerabilities

CVE-2020-9631 [CRITICAL] Magento security mitigation bypass vulnerability Magento security mitigation bypass vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2020-9578 [CRITICAL] CWE-78 Magento command injection vulnerability Magento command injection vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2020-9630 [CRITICAL] CWE-269 Magento business logic error vulnerability Magento business logic error vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a business logic error vulnerability. Successful exploitation could lead to privilege escalation.

CVE-2020-9576 [CRITICAL] CWE-78 Magento command injection vulnerability Magento command injection vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2020-9632 [CRITICAL] Magento security mitigation bypass vulnerability Magento security mitigation bypass vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2020-9580 [CRITICAL] Magento Security mitigation bypass vulnerability Magento Security mitigation bypass vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2020-9583 [CRITICAL] CWE-78 Magento command injection vulnerability Magento command injection vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2020-9582 [CRITICAL] CWE-78 Magento command injection vulnerability Magento command injection vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2020-9579 [CRITICAL] Magento Security mitigation bypass vulnerability Magento Security mitigation bypass vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2020-9585 [CRITICAL] Magento Defense-in-depth security mitigation vulnerability Magento Defense-in-depth security mitigation vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to arbitrary code execution.

CVE-2020-9664 [CRITICAL] CWE-94 Magento php object injection vulnerability Magento php object injection vulnerability Magento versions 1.14.4.5 and earlier, and 1.9.4.5 and earlier have a php object injection vulnerability. Successful exploitation could lead to arbitrary code execution. A patch SUPEE-11346 is available at [Magento Open Source Download Page](https://github.com/m-a-org/magento-patches) > Release Archive Tab > Magento Open Source Patches - 1.x Section

CVE-2019-8231 [HIGH] CWE-94 Magento Remote code execution through catalog attribute sets Magento Remote code execution through catalog attribute sets In Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.

CVE-2020-3719 [HIGH] CWE-89 Magento sql injection vulnerability Magento sql injection vulnerability Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have an sql injection vulnerability. Successful exploitation could lead to sensitive information disclosure.

CVE-2020-9588 [HIGH] CWE-203 Magento Signature verification bypass Magento Signature verification bypass Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.

CVE-2020-9591 [HIGH] CWE-200 Magento defense-in-depth security mitigation vulnerability Magento defense-in-depth security mitigation vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to unauthorized access to admin panel.

CVE-2020-9587 [HIGH] CWE-863 Magento authorization bypass vulnerability Magento authorization bypass vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an authorization bypass vulnerability. Successful exploitation could lead to potentially unauthorized product discounts.

CVE-2015-6497 [HIGH] CWE-20 Magento arbitrary PHP code execution via the productData parameter Magento arbitrary PHP code execution via the productData parameter The create function in `app/code/core/Mage/Catalog/Model/Product/Api/V2.php` in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to `index.php/api/v2_soap`.

CVE-2019-8230 [HIGH] CWE-94 Magento Remote code execution through support/output path modification Magento Remote code execution through support/output path modification In Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, an authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path.

CVE-2020-9665 [MEDIUM] CWE-79 Magento stored cross-site scripting vulnerability Magento stored cross-site scripting vulnerability Magento versions 1.14.4.5 and earlier, and 1.9.4.5 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. A patch SUPEE-11346 is available at [Magento Open Source Download Page](https://github.com/m-a-org/magento-patches) > Release Archive Tab > Magento Open Source Patches - 1.x Section

CVE-2019-8227 [MEDIUM] CWE-79 Magento XSS Vulnerability Magento XSS Vulnerability In Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import / export functionality when creating profile action XML.