Adobe today released security updates to fix two code execution vulnerabilities affecting Magento Commerce and Magento Open Source. Affected software includes Magent Commerce versions 2.3.5-p1 and earlier and Magent Open Source versions. One of the issues is caused by a path traversal bug and tracked as CVE-2020-9689, which could allow attackers with admin privileges to execute arbitrary code. Another is a DOM-based Cross-Site Scripting bug which could enable unauthenticated attackers to run arbitrary code on unpatched systems. There are currently no known exploits and attacks are not imminent.
Source: https://www.bleepingcomputer.com/news/security/magento-gets-security-updates-for-severe-code-execution-bugs/