New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

MAGENTO 2.2.3, 2.1.12 AND 2.0.18 SECURITY UPDATE

February 27, 2018

Magento Commerce and Open Source 2.2.3, 2.1.12 and 2.0.18 contain multiple security enhancements that help close Cross-Site Scripting (XSS), authenticated Admin user remote code execution (RCE) and other vulnerabilities. The releases include additional functional fixes. To find out more about the functional fixes please check Release Notes for Magento Commerce 2.0.18, 2.1.12, 2.2.3 and Magento Open Source 2.0.18, 2.1.12, 2.2.3.

Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.2.3.

Please refer to Security Best Practices for additional information how to secure your site.

To download the releases, choose from the following options:

Partners:

Magento Commerce 2.2.3 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.3

Magento Commerce 2.1.12 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.12

Magento Commerce 2.0.18 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.0.18

Magento Commerce 2.2.3, 2.1.12 and 2.0.18 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/prereq/integrator_install.html

Magento Commerce 2.2.3, 2.1.12 and 2.0.18 (Composer upgrades)

https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html

Magento Commerce:

Magento Commerce 2.2.3 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.3

Magento Commerce 2.1.12 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.12

Magento Commerce 2.0.18 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.0.18

Magento Commerce 2.2.3, 2.1.12 and 2.0.18 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/prereq/integrator_install.html

Magento Commerce 2.2.3, 2.1.12 and 2.0.18 (Composer upgrades)

https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source:

Magento Open Source 2.2.3, 2.1.12 and 2.0.18 (New .zip file installations)

Magento Open Source Download Page > Download Tab

Magento Open Source 2.2.3, 2.1.12 and 2.0.18 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/prereq/integrator_install.html

Magento Open Source 2.2.3, 2.1.12 and 2.0.18 (Composer upgrades)

https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source 2.2.3, 2.1.12 and 2.0.18 (Developers contributing to the Open Source code base)

https://devdocs.magento.com/guides/v2.2/install-gde/install/cli/dev_options.html

APPSEC-1951: JavaScript execution in the administrator panel
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:9.8 (High)
Known Attacks:None
Description:

A user can insert a script in storefront field that could lead to arbitrary JavaScript code execution in the context of the administrator panel.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Phoenix128
APPSEC-1952: Remote Code Execution using media upload
Type:Remote Code Execution (RCE)
CVSSv3 Severity:9.8 (High)
Known Attacks:None
Description:

An administrator with limited privileges can remotely execute code using a path traversal vulnerability during the CMS image or media upload process.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1865: Cross-Site Scripting in customer information
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:7.5 (High)
Known Attacks:None
Description:

A user can insert script into some customer information fields, which could potentially result in stored cross-site scripting that affects administrators.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Boskostan
APPSEC-1907: Cross-site Scripting in Customer Address
Type:Cross-site Scripting (XSS)
CVSSv3 Severity:7.5 (High)
Known Attacks:None
Description:

A user can insert script into his or her address, which could potentially result in stored cross-site scripting that affects administrators.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1935: Cros-site Scripting leading to Denial-of-Service
Type:Denial of Service (DOS)
CVSSv3 Severity:7.1 (High)
Known Attacks:None
Description:

A user can insert script in their address field, which can potentially introduce a denial-of -service vulnerability. External reference: Fortiguard FG-VD-17-116

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:yzy9952
APPSEC-1977: Common Server Misconfiguration causes data leak
Type:Sensitive Information Exposure
CVSSv3 Severity:6.6 (Medium)
Known Attacks:None
Description:

A common server misconfiguration can lead to sensitive data leakage. Note: If you are using Nginx as your webserver, you need to configure Nginx separately to protect sensitive files like auth.json in Magento directory structure, as .htaccess files are not used.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:dverkade
APPSEC-1901: Local file inclusion in customer view
Type:Local File Inclusion (LFI)
CVSSv3 Severity:6.4 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can read arbitrary files from the file system.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1994: CSRF in Store Backups
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:6.4 (Medium)
Known Attacks:None
Description:

An administrator can be tricked into performing a system backup by an attacker who has crafted a targeted Cross-Site Request forgery (CSRF) attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Boskostan
APPSEC-1986: Local file inclusion in import history
Type:Local File Inclusion (LFI)
CVSSv3 Severity:6.1 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can delete critical system control files to subsequently gain privilege escalation through the Import History feature.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In: Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1929: Path Traversal in Image Upload
Type:Path Traversal
CVSSv3 Severity:5.7 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert a file in the file system using the WYSIWYG image upload process.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Phoenix128
APPSEC-1960: Path Traversal in static.php file
Type:Path Traversal
CVSSv3 Severity:5.7 (Medium)
Known Attacks:None
Description:

A user can gain file system write access using path traversal on the static.php file.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Phoenix128
APPSEC-1879: Cross-site Scripting in Downloadable Products
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert script into downloadable products, which could potentially result in stored cross-site scripting that affects other administrators.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Mortis
APPSEC-1891: Cross-site Scripting in Admin Shipment tracking
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert script into the shipment tracking, which could potentially result in stored cross-site scripting that affects other administrators.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1905: Cross-site Scripting in detailed rating
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert script into the detailed rating, which could potentially result in stored cross-site scripting that affects other administrators.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Mortis
APPSEC-1906: Cross-site Scripting in System Configuration
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with system configuration privileges can covertly add JavaScript to the Magento store front.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12
Fixed In:Magento 2.0.18, Magento 2.1.12
Reporter:Mortis
APPSEC-1908/1948: Cross-site Scripting in custom variable
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert script in the custom variables name field, which could potentially result in stored cross-site scripting that affects other administrators.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1916: Cross-site Scripting in Attribute Group Name
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert script in the attribute group name field, which could potentially result in stored cross-site scripting that affects other administrators.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1928: Cross-site Scripting in Downloadable Product Link
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert script in the downloadable product link title field, which could subsequently lead to a stored cross-site scripting attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1944: Cross-site Scripting in Date fields
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert script into the private sales events and invitations fields, which can subsequently lead to a stored cross-site scripting attack.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1945: Cross-site Scripting in Product SKU
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert script in the RMA SKU field, which could potentially result in a stored cross-site scripting attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1947: Cross-site Scripting in RMA functionality
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

A user can insert script in the RMA SKU field, which could potentially result in a stored cross-site scripting attack.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1973: Cross-site Scripting in Newsletter Template
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can embed cross-site scripting elements in the Newsletter template, which could potentially lead to a stored cross-site scripting attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1873/1979/1980: Cross-site Scripting in Site Settings
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can embed cross-site scripting elements in the Website Name or Store View Name setting, which could potentially lead to a stored cross-site scripting attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Max Chadwick and Peter O'Callaghan
APPSEC-1995: Cross-site Scripting in Downloadable Products
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert arbitrary code into product fields, which could potentially lead to a stored cross-site scripting attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Boskostan
APPSEC-1998: Cross-site Scripting in Product Attributes
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can embed cross-site scripting elements in product attributes, which could potentially lead to a cross-site scripting attack.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Boskostan
APPSEC-1878/1890: Cross-site Scripting in CMS hierarchy
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert script into the CMS hierarchy, which could potentially result in a stored cross-site scripting that affects other administrators.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.2.3
Reporter:Max Chadwick and Magecraze
APSSEC-1488: Cross-site Scripting in Status Message (continuation)
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

Status messages were not properly escaped on output.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Peter O'Callaghan
APPSEC-1272: No CSRF Protection in Order Printing
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:4.9 (Medium)
Known Attacks:None
Description:

A user can craft a URL that forces another user to open the Print Order view.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12
Fixed In:Magento 2.0.18, Magento 2.1.12
Reporter:Vishnu_Vardhan_Reddy
APPSEC-1889: CSRF Protection Bypass
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:4.9 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can craft a cross-site request to perform requests on behalf of another administrator.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Fabain
APPSEC-1553: Access to Gift Registries of Other Users
Type:Insecure Direct Object Reference (IDOR)
CVSSv3 Severity:4.8 (Medium)
Known Attacks:None
Description:

A user can view gift registries that do not belong to them.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Peter O'Callaghan
APPSEC-1937: Information Exposure
Type:Information Exposure
CVSSv3 Severity:3.9 (Low)
Known Attacks:None
Description:

Weak protection checking can potentially lead to privilege escalation or information disclosure.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Peter O'Callaghan
APPSEC-1895: Information Exposure
Type:Information Exposure
CVSSv3 Severity:3.9 (Low)
Known Attacks:None
Description:

An administrator with limited privileges can view privileged information on another site that is hosted on the same platform.

Product(s) Affected:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Internal
APPSEC-1967: Password Change Session Management
Type:Session Management
CVSSv3 Severity:3.4 (Low)
Known Attacks:None
Description:

Magento did not previously terminate existing sessions when the currently logged-in user changed his or her password.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Internal
APPSEC-1972: Password Reset Session Management
Type:Session Management
CVSSv3 Severity:3.4 (Low)
Known Attacks:None
Description:

When a user reset his or her password, Magento did not previously log out of existing sessions.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12
Reporter:Internal

Please refer to Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.