Magento Patch Tuesday
Magento have been busy releasing patches for 1.9.3, 2.0.10 and 2.1.2, please contact us if you would like these patches installing
SUPEE-8788 Magento Community Edition 1.9.3
SUPEE-8788, Enterprise Edition 1.14.3 and Community Edition 1.9.3 address Zend framework and payment vulnerabilities, ensure sessions are invalidated after a user logs out, and make several other security enhancements that are detailed below.
Information on additional functional enhancements available the new 1.14.3 and 1.9.3 releases is available in the ENTERPRISE EDITION and COMMUNITY EDITION RELEASE NOTES.
Patches and upgrades are available for the following Magento versions:
- Enterprise Edition 1.9.0.0-1.14.2.4: SUPEE-8788 or upgrade to Enterprise Edition 1.14.3
- Community Edition 1.5.0.1-1.9.2.4: SUPEE-8788 or upgrade to Community Edition 1.9.3
| APPSEC-1484 – Remote Code Execution in checkout | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 9.8 (Critical) |
| Known Attacks: | None |
| Description: | With some payment methods it might be possible to execute malicious PHP code during checkout. |
| Product(s) Affected: | Magento CE prior to 1.9.3, and Magento EE prior to 1.14.3 |
| Fixed In: | CE 1.9.3, EE 1.14.3, SUPEE-8788 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1480 – SQL injection in Zend Framework | |
|---|---|
| Type: | SQL Injection/Improper validation |
| CVSSv3 Severity: | 9.1 (Critical) |
| Known Attacks: | None |
| Description: | A bug in Zend Framework value escaping allows a malicious user to inject SQL through the ordering or grouping parameters. While there are no known frontend entry point vulnerabilities that would allow for a full SQL injection, we’ve found an entry point in the Magento Admin panel, and other entry points most likely exist. |
| Product(s) Affected: | Magento CE prior to 1.9.3, and Magento EE prior to 1.14.3 |
| Fixed In: | CE 1.9.3, EE 1.14.3, SUPEE-8788 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1488 – Stored XSS in invitations | |
|---|---|
| Type: | Cross-Site Scripting (XSS) – Stored |
| CVSSv3 Severity: | 8.2 (High) |
| Known Attacks: | None |
| Description: | It is possible to use the Magento Enterprise Edition invitations feature to insert malicious JavaScript that might be executed in the admin context. |
| Product(s) Affected: | Magento EE prior to 1.14.3 |
| Fixed In: | EE 1.14.3, SUPEE-8788 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1247 – Block cache exploit | |
|---|---|
| Type: | Information Leakage |
| CVSSv3 Severity: | 7.7 (High) |
| Known Attacks: | None |
| Description: | With access to any CMS functionality, an attacker with administrator permissions can use blocks to exfiltrate information stored in cache. This sensitive information includes store configuration, encryption key, and database connection details. Additionally, it might be possible to execute code. |
| Product(s) Affected: | Magento CE prior to 1.9.3, and Magento EE prior to 1.14.3 |
| Fixed In: | CE 1.9.3, EE 1.14.3, SUPEE-8788 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1517 – Log in as another customer | |
|---|---|
| Type: | Insufficient data protection |
| CVSSv3 Severity: | 7.5 (High) |
| Known Attacks: | None |
| Description: | In certain configurations, it is possible to log in as existing store customer while knowing only his email address, not his password. |
| Product(s) Affected: | Magento CE prior to 1.9.3, and Magento EE prior to 1.14.3 |
| Fixed In: | CE 1.9.3, EE 1.14.3, SUPEE-8788 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1375 – Remote Code Execution in admin | |
|---|---|
| Type: | Remote code execution (RCE) |
| CVSSv3 Severity: | 6.5 (Medium) |
| Known Attacks: | None |
| Description: | The import/export functionality in Magento unserializes data supplied from the Admin dashboard without proper checks. This can lead to possible code execution if a malicious user has Magento Admin access, even if access is limited to the import/export functionality. |
| Product(s) Affected: | Magento CE prior to 1.9.3, and Magento EE prior to 1.14.3 |
| Fixed In: | CE 1.9.3, EE 1.14.3, SUPEE-8788 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1338 – Full Page Cache poisoning | |
|---|---|
| Type: | Cache Poisoning |
| CVSSv3 Severity: | 6.5 (Medium) |
| Known Attacks: | None |
| Description: | It is possible to manipulate the full page cache to store incorrect pages under regular page URL entries. This issue affects only Magento Enterprise Edition. |
| Product(s) Affected: | Magento EE prior to 1.14.3 |
| Fixed In: | EE 1.14.3, SUPEE-8788 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1436 – XSS vulnerability in URL processing | |
|---|---|
| Type: | Cross-site Scripting (XSS) |
| CVSSv3 Severity: | 6.1 (Medium) |
| Known Attacks: | None |
| Description: | Magento function related to URL processing incorrectly uses user-supplied data from request headers. This can result in a cross-site scripting issue. |
| Product(s) Affected: | Magento CE prior to 1.9.3, and Magento EE prior to 1.14.3 |
| Fixed In: | CE 1.9.3, EE 1.14.3, SUPEE-8788 |
| Reporter: | Internal/support |
| APPSEC-1211 – XSS in categories management | |
|---|---|
| Type: | Cross-site Scripting (XSS) |
| CVSSv3 Severity: | 6.1 (Medium) |
| Known Attacks: | None |
| Description: | It is possible to create a category that contains malicious JavaScript code in the category name. This code will then be executed in other parts of the Admin panel, such as URL Rewrites. To exploit this issue, a user would need admin access to catalog management. |
| Product(s) Affected: | Magento CE prior to 1.9.3, and Magento EE prior to 1.14.3 |
| Fixed In: | CE 1.9.3, EE 1.14.3, SUPEE-8788 |
| Reporter: | Milan A. Solanki |
| APPSEC-1058 – GIF flooding | |
|---|---|
| Type: | Denial of Service (DoS) |
| CVSSv3 Severity: | 5.3 (Medium) |
| Known Attacks: | None |
| Description: | A malicious user can upload a modified image that could cause a script timeout, resulting in a denial of service attack. (This potential vulnerability affects stores that allow users to upload images as a custom option or through the Admin dashboard) |
| Product(s) Affected: | Magento CE prior to 1.9.3, and Magento EE prior to 1.14.3 |
| Fixed In: | CE 1.9.3, EE 1.14.3, SUPEE-8788 |
| Reporter: | Shahmeer Baloch |
| APPSEC-666 – Cross-site scripting in Flash file uploader | |
|---|---|
| Type: | Cross-Site Scripting (XSS) – reflected |
| CVSSv3 Severity: | 5.3 (Medium) |
| Known Attacks: | None |
| Description: | Reflected cross-site scripting is possible on sites that use the file custom option. |
| Product(s) Affected: | Magento CE prior to 1.9.3, and Magento EE prior to 1.14.3 |
| Fixed In: | CE 1.9.3, EE 1.14.3, SUPEE-8788 |
| Reporter: | Francisco Javier Correa Silva |
| APPSEC-1282: Filter avoidance | |
|---|---|
| Type: | Filter avoidance |
| CVSSv3 Severity: | 4.9 (Medium) |
| Known Attacks: | None |
| Description: | Implementing filters for XSS in email templates and other Admin features might not be sufficient to stop specially crafted exploit strings. |
| Product(s) Affected: | Magento CE prior to 1.9.3, and Magento EE prior to 1.14.3 |
| Fixed In: | CE 1.9.3, EE 1.14.3, SUPEE-8788 |
| Reporter: | Peter O’Callaghan |
| APPSEC-327 – CSRF in several forms | |
|---|---|
| Type: | Cross-site Request Forgery (CSRF) |
| CVSSv3 Severity: | 4.7 (Medium) |
| Known Attacks: | None |
| Description: | Improper form key validation leads to possible CSRF attacks on several forms throughout Magento. As a result, a malicious user could create a phishing form that, when clicked by a user, would execute an action such as update cart or login. Note: This issue affects only older versions of Magento. |
| Product(s) Affected: | Magento CE prior to 1.8.1, and Magento EE prior to 1.13.1 |
| Fixed In: | CE 1.9.3, EE 1.14.3, SUPEE-8788 |
| Reporter: | Internal |
| APPSEC-1189 – CSRF on removing item from Wishlist or Address Book | |
|---|---|
| Type: | Cross-site Request Forgery (CSRF) |
| CVSSv3 Severity: | 4.7 (Medium) |
| Known Attacks: | None |
| Description: | It is possible to create a phishing page that if visited by a store customer would delete the customer’s address or wishlist items. |
| Product(s) Affected: | Magento CE prior to 1.9.3, and Magento EE prior to 1.14.3 |
| Fixed In: | CE 1.9.3, EE 1.14.3 |
| Reporter: | High-Tech Bridge Security Research |
| APPSEC-1478: Session does not expire on logout | |
|---|---|
| Type: | Insufficient Session Expiration |
| CVSSv3 Severity: | 4.2 (Medium) |
| Known Attacks: | None |
| Description: | Session do not expire after logout, making it possible to steal session cookies and access a customer’s account. This risk primarily occurs when users share a computer to access the site. |
| Product(s) Affected: | Magento CE prior to 1.9.3, and Magento EE prior to 1.14.3 |
| Fixed In: | CE 1.9.3, EE 1.14.3, SUPEE-8788 |
| Reporter: | Mahmoud Osama |
| APPSEC-1106 – Lack of certificate validation enables MitM attacks | |
|---|---|
| Type: | Man-in-the-Middle (MitM) |
| CVSSv3 Severity: | 3.7 (Low) |
| Known Attacks: | None |
| Description: | Lack of certificate validation on calls to external services enables man-in-the-middle attacks on those calls. This results in possible disclosure of customer information. The risk is low due to the effort needed to execute such an attack. |
| Product(s) Affected: | Magento CE prior to 1.9.3, and Magento EE prior to 1.14.3 |
| Fixed In: | CE 1.9.3, EE 1.14.3, SUPEE-8788 |
| Reporter: | Maksymilian Arciemowicz |
| APPSEC-995 – Timing attack on hash checking | |
|---|---|
| Type: | Timing attack |
| CVSSv3 Severity: | 3.7 (Low) |
| Known Attacks: | None |
| Description: | It is theoretically possible to execute a timing attack on the password checking functionality. This is a low-risk vulnerability due to the effort required to execute this attack successfully. |
| Product(s) Affected: | Magento CE prior to 1.9.3, and Magento EE prior to 1.14.3 |
| Fixed In: | CE 1.9.3, EE 1.14.3, SUPEE-8788 |
| Reporter: | Teguh P. Alko |
Magento Enterprise Edition and Community Edition 2.0.10 and 2.1.2
Contain multiple security enhancements to address a Zend Framework vulnerability, prevent unauthorized users from backing up Magento files, and ensure sessions are invalidated after a user logs out. More information about these issues is provided below.
Merchants who have not previously downloaded a Magento 2.0 release should go straight to Magento Enterprise Edition or Community Edition 2.0.6.
| APPSEC-1484 – Remote Code Execution in checkout | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 9.8 (Critical) |
| Known Attacks: | None |
| Description: | With some payment methods, users can execute malicious PHP code during checkout. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.10/2.1.2 |
| Fixed In: | Magento CE and EE 2.0.10/2.1.2 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1480 – SQL injection in Zend Framework | |
|---|---|
| Type: | SQL Injection/Improper validation |
| CVSSv3 Severity: | 9.1 (Critical) |
| Known Attacks: | None |
| Description: | A bug in Zend Framework value escaping allows a malicious user to inject SQL through the ordering or grouping parameters. While there are no known frontend entry point vulnerabilities that would allow for a full SQL injection, we’ve found an entry point in the Magento Admin panel, and other entry points most likely exist. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.10/2.1.2 |
| Fixed In: | Magento CE and EE 2.0.10/2.1.2 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1503 – Stored Cross-Site Scripting in email templates | |
|---|---|
| Type: | Cross-Site Scripting (XSS) – Stored |
| CVSSv3 Severity: | 8.7 (High) |
| Known Attacks: | None |
| Description: | It is possible to store malicious code in email templates that will be executed when the templates are previewed. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.10/2.1.2 |
| Fixed In: | Magento CE and EE 2.0.10/2.1.2 |
| Reporter: | vishwaraj |
| APPSEC-1488 – Stored XSS in invitations | |
|---|---|
| Type: | Cross-Site Scripting (XSS) – Stored |
| CVSSv3 Severity: | 8.2 (High) |
| Known Attacks: | None |
| Description: | It is possible to use the Magento Enterprise Edition invitations feature to insert malicious JavaScript that might be executed in the admin context. |
| Product(s) Affected: | Magento EE prior to 2.0.10/2.1.2 |
| Fixed In: | Magento EE 2.0.10/2.1.2 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1533 – Order item with altered price | |
|---|---|
| Type: | Improper input validation |
| CVSSv3 Severity: | 7.5 (High) |
| Known Attacks: | None |
| Description: | It is possible to alter product price by manipulating parameters and completing checkout with the altered price. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.10/2.1.2 |
| Fixed In: | Magento CE and EE 2.0.10/2.1.2 |
| Reporter: | Ivan Weiler |
| APPSEC-1270 – Guest order view protection code vulnerable to brute-force attack | |
|---|---|
| Type: | Information Disclosure – personal |
| CVSSv3 Severity: | 7.5 (High) |
| Known Attacks: | None |
| Description: | The design of the guest order view protection makes it possible to access guest order information for particular orders. Although a user cannot target a specific order in the attack, or view all orders, he can use it to extract some order information from a store. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.10/2.1.2 |
| Fixed In: | Magento CE and EE 2.0.10/2.1.2 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1539 – Cross-Site Scripting in section loading | |
|---|---|
| Type: | Cross-Site Scripting (XSS) – Reflected |
| CVSSv3 Severity: | 7.2 (High) |
| Known Attacks: | None |
| Description: | It is possible to inject malicious JavaScript code when loading the content section of a request. Note: There is a low risk of this type of attack as the server should not execute code that contains incompatible content types. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.10/2.1.2 |
| Fixed In: | Magento CE and EE 2.0.10/2.1.2 |
| Reporter: | Support Customer |
| APPSEC-1433 – Unauthorized removal of customer address | |
|---|---|
| Type: | Cross-Site Request Forgery (CSRF) |
| CVSSv3 Severity: | 6.5 (Medium) |
| Known Attacks: | None |
| Description: | It is possible to trick a user into deleting his store address book entries. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.10/2.1.2 |
| Fixed In: | Magento CE and EE 2.0.10/2.1.2 |
| Reporter: | Vishwaraj Bhattrai |
| APPSEC-1338 – Full Page Cache poisoning | |
|---|---|
| Type: | Cache Poisoning |
| CVSSv3 Severity: | 6.5 (Medium) |
| Known Attacks: | None |
| Description: | It is possible to manipulate the full page cache to store incorrect pages under regular page URL entries. |
| Product(s) Affected: | Magento EE prior to 2.0.10/2.1.2 |
| Fixed In: | Magento EE 2.0.10/2.1.2 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1329 – Information disclosure in maintenance mode | |
|---|---|
| Type: | Information disclosure |
| CVSSv3 Severity: | 5.3 (Medium) |
| Known Attacks: | None |
| Description: | When a store is in maintenance mode, it can expose internal files. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.10/2.1.2 |
| Fixed In: | Magento CE and EE 2.0.10/2.1.2 |
| Reporter: | Branko Ajzele |
| APPSEC-1490 – Local file inclusion | |
|---|---|
| Type: | Local file inclusion |
| CVSSv3 Severity: | 4.9 (Medium) |
| Known Attacks: | None |
| Description: | A user with lesser privileges can store system files in a publicly accessible media folder. These files can be retrieved later by any user. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.10/2.1.2 |
| Fixed In: | Magento CE and EE 2.0.10/2.1.2 |
| Reporter: | Subnet |
| APPSEC-1543 – Removal of currently logged-in administrator | |
|---|---|
| Type: | Incorrect escaping/Cross-Site Request Forgery |
| CVSSv3 Severity: | 4.9 (Medium) |
| Known Attacks: | Medium |
| Description: | It is possible to provide a parameter that results in the deletion of the currently logged-in user. If form key functionality is turned off, a malicious user can create a CSRF attack to delete the Admin user. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.10/2.1.2 |
| Fixed In: | Magento CE and EE 2.0.10/2.1.2 |
| Reporter: | TBD |
| APPSEC-1212 – CSRF delete items from mini cart | |
|---|---|
| Type: | Cross-Site Request Forgery |
| CVSSv3 Severity: | 4.3 (Medium) |
| Known Attacks: | None |
| Description: | Magento does not validate the form key when deleting items from the mini cart using a GET request. As a result, it is possible to trick a customer into deleting items from his cart using phishing emails or other link-hiding/obfuscation techniques. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.10 |
| Fixed In: | Magento CE and EE 2.0.10 |
| Reporter: | Internal |
| APPSEC-1478 – Session does not expire on logout | |
|---|---|
| Type: | Insufficient Session Expiration |
| CVSSv3 Severity: | 4.2 (Medium) |
| Known Attacks: | None |
| Description: | Sessions do not expire after logout, making it possible to steal session cookies and access the customer’s account. This risk primarily occurs when users share a computer to access the site. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.10/2.1.2 |
| Fixed In: | Magento CE and EE 2.0.10/2.1.2 |
| Reporter: | Mahmoud Osama |
| APPSEC-1481 – Admin users can create backups regardless of privileges | |
|---|---|
| Type: | Cross-site request forgery (CSRF) |
| CVSSv3 Severity: | 4.1 (Medium) |
| Known Attacks: | None |
| Description: | Lack of CSRF protection and privilege check allows any Admin user to create a backup of the system. An Admin user can be tricked into clicking on a phishing form that creates a backup, or an Admin user with lesser privileges can access this functionality. This attack has a low risk because creating a backup in itself does not harm the installation. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.10/2.1.2 |
| Fixed In: | Magento CE and EE 2.0.10/2.1.2 |
| Reporter: | VN-49-D1 |
Be sure to implement and test the new version in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing a new release is AVAILABLE ONLINE