SUPEE-9767
SUPEE-9767, Enterprise Edition 1.14.3.3 and Community Edition 1.9.3.3 address several security issues.
We offer a Patch install service for all customers, please log into our client area and order here
NOTE:
Before applying the patch or upgrading to the latest release, make sure to disable Symlinks setting in System > Configuration > Advanced > Developer > Enable Symlinks. The setting, if enabled, will override configuration file setting and changing it will require direct database modification.
Patches and upgrades are available for the following Magento versions:
- Enterprise Edition 1.9.0.0-1.14.3.2: SUPEE-9767 or upgrade to Enterprise Edition 1.14.3.3
- Community Edition 1.5.0.1-1.9.3.2: SUPEE-9767 or upgrade to Community Edition 1.9.3.3
| APPSEC-1281: Remote code execution through symlinks | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 8.8 (High) |
| Known Attacks: | Yes. Attackers are disabling a configuration protection after gaining admin access and are uploading malicious code. |
| Description: | Use of the AllowSymlinks option in configuration settings can enable the upload of an image that contains malicious code. Although this option is disabled by default, an attacker with access to store configuration settings can enable it and remotely execute code. |
| Product(s) Affected: | Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3 |
| Fixed In: | CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767 |
| Reporter: | Wilko Nienhaus |
| APPSEC-1777: Remote Code Execution in DataFlow | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 8.8 (High) |
| Known Attacks: | None |
| Description: | Magento administrators with access to DataFlow functionality can use it to upload and execute arbitrary code. |
| Product(s) Affected: | Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3 |
| Fixed In: | CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767 |
| Reporter: | Fabain |
| APPSEC-1686: Remote Code Execution in the Admin panel | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 8.8 (High) |
| Known Attacks: | None |
| Description: | Store administrators with access to CMS functionality can remotely execute code. |
| Product(s) Affected: | Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7 |
| Fixed In: | CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7 |
| Reporter: | Fabain |
| APPSEC-1320: SQL injection in Visual Merchandiser (Enterprise Edition) | |
|---|---|
| Type: | SQL Injection |
| CVSSv3 Severity: | 8.8 (High) |
| Known Attacks: | None |
| Description: | The Visual Merchandiser contains an SQL injection vulnerability that can potentially allow a user with Admin privileges to directly edit the database. |
| Product(s) Affected: | Magento EE prior to 1.14.3.3 |
| Fixed In: | EE 1.14.3.3, SUPEE-9767 |
| Reporter: | Oleksandr Semchyshyn |
| APPSEC-1634: XSS in data fields | |
|---|---|
| Type: | Cross-Site Scripting (XSS, reflected) |
| CVSSv3 Severity: | 8.7 (High) |
| Known Attacks: | None |
| Description: | Some Admin tables do not filter data, which provides an inadvertent opening for reflected cross-site scripting attacks. |
| Product(s) Affected: | Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3 |
| Fixed In: | CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767 |
| Reporter: | Lipsum |
| APPSEC-1759: XSS in Admin panel configuration | |
|---|---|
| Type: | Cross-Site Scripting (XSS, stored) |
| CVSSv3 Severity: | 8.1 (High) |
| Known Attacks: | None |
| Description: | A Magento administrator with access to configuration settings can enter malicious code that can be executed on other Admin panel pages. |
| Product(s) Affected: | Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3 |
| Fixed In: | CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767 |
| Reporter: | Fabain |
| APPSEC-1549: CSRF after logout – form key not invalidated | |
|---|---|
| Type: | Cross-Site Request Forgery (CSRF) |
| CVSSv3 Severity: | 8.0 (High) |
| Known Attacks: | None |
| Description: | Magento does not invalidate form keys on logout, which potentially allows an attacker to execute commands as administrator after the admin logs out. |
| Product(s) Affected: | Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3 |
| Fixed In: | CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767 |
| Reporter: | Internal |
| APPSEC-1693: Bypassing ACLs in store configuration permissions | |
|---|---|
| Type: | Privilege Escalation |
| CVSSv3 Severity: | 6.5 (Medium) |
| Known Attacks: | None |
| Description: | Administrators with limited permission to modify configuration settings can also edit PayPal or payment configuration settings despite lack of explicit permissions. |
| Product(s) Affected: | Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3 |
| Fixed In: | CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1677: Local File Disclosure for admin users with access to dataflow | |
|---|---|
| Type: | Information Leak (system) |
| CVSSv3 Severity: | 6.5 (Medium) |
| Known Attacks: | None |
| Description: | An authenticated administrator can use DataFlow to exfiltrate system files. |
| Product(s) Affected: | Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3 |
| Fixed In: | CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767 |
| Reporter: | Fabain |
| APPSEC-1546: CSRF Vulnerability in Checkout feature | |
|---|---|
| Type: | Cross-Site Request Forgery (CSRF) |
| CVSSv3 Severity: | 6.1 (Medium) |
| Known Attacks: | None |
| Description: | Checkout functionality is vulnerable to cross-site request forgery attacks. These types of attacks are typically executed by phishing emails or pages that allow attackers to modify or harvest payment details. |
| Product(s) Affected: | Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3 |
| Fixed In: | CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767 |
| Reporter: | Internal |
| APPSEC-1597: Potential for user name enumeration | |
|---|---|
| Type: | Insufficient Data Protection |
| CVSSv3 Severity: | 5.3 (Medium) |
| Known Attacks: | None |
| Description: | When a user tries to log in using an invalid username or password, the Magento authentication mechanism responds with a message that indicates whether the username is valid. A malicious user can use this information to build a list of registered users. |
| Product(s) Affected: | Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3 |
| Fixed In: | CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767 |
| Reporter: | Internal |
| APPSEC-1695: CSRF cache management | |
|---|---|
| Type: | Cross-Site Request Forgery (CSRF) |
| CVSSv3 Severity: | 4.7 (Medium) |
| Known Attacks: | None |
| Description: | Vulnerabilities in session cache management may provide an opening for a cross-site request forgery attack. These types of attacks can include malicious clearing of session data. |
| Product(s) Affected: | Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3 |
| Fixed In: | CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1324: Customer passwords exposed in logs | |
|---|---|
| Type: | Information Disclosure / Leakage (Confidential or Restricted) |
| CVSSv3 Severity: | 4.4 (Medium) |
| Known Attacks: | None |
| Description: | In certain configurations, and depending on previous customer actions, a log-in action can generate an exception. Magento logs this exception, which may contain customer passwords, on the server. |
| Product(s) Affected: | Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3 |
| Fixed In: | CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1675: Cross-site Request Forgery Vulnerability in Enterprise Edition (EE) Invites | |
|---|---|
| Type: | Cross-Site Request Forgery (CSRF) |
| CVSSv3 Severity: | 3.4 (Low) |
| Known Attacks: | None |
| Description: | The Magento EE private sale invite feature is not protected against cross-site request forgery attacks. This vulnerability potentially allows an attacker to invite himself to/register on a restricted access site. |
| Product(s) Affected: | Magento EE prior to 1.14.3.3 |
| Fixed In: | EE 1.14.3.3, SUPEE-9767 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1659: Vulnerabilities in JavaScript libraries | |
|---|---|
| Type: | Misc Vulnerabilities |
| CVSSv3 Severity: | 0 (Low) |
| Known Attacks: | None |
| Description: | Magento uses versions of JavaScript libraries with known security vulnerabilities. Magento does not use the vulnerable functionality, and no Magento-specific attack vector has been found. However, out of caution, we’ve updated the JavaScript libraries in question to the latest versions. Note: this issue does not affect Magento CE version prior to 1.9.0.0 and Magento EE versions prior to 1.14.0.0. |
| Product(s) Affected: | Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7 |
| Fixed In: | CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7 allin |
| Reporter: | Internal |
| APPSEC-1622: Incorrect routing of requests |
|---|
| APPSEC-1622: Incorrect routing of requests | |
|---|---|
| Type: | Abuse of Functionality |
| CVSSv3 Severity: | 0 (None) |
| Known Attacks: | None |
| Description: | Incorrect request routing can enable the bypassing of web server protections, which in turn provides potentially malicious users access to the server. |
| Product(s) Affected: | Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7 |
| Fixed In: | CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7 allin |
| Reporter: | Internal |