New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Magento 2.2.6 and 2.1.15 Security Update

September 10, 2018

Magento Commerce and Open Source 2.2.6 and 2.1.15 contain multiple security enhancements that help close Cross-Site Scripting (XSS) and other vulnerabilities.

Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.2.6.

Please refer to Security Best Practices for additional information how to secure your site.

To download the releases, choose from the following options:

Partners:

Magento Commerce 2.2.6 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.6

Magento Commerce 2.1.15 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.15

Magento Commerce 2.2.6 and 2.1.15 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/composer.html

Magento Commerce 2.2.6 and 2.1.15 (Composer upgrades)

https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html

Magento Commerce:

Magento Commerce 2.2.6 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.6

Magento Commerce 2.1.15 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.15

Magento Commerce 2.2.6 and 2.1.15 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/composer.html

Magento Commerce 2.2.6 and 2.1.15 (Composer upgrades)

https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source:

Magento Open Source 2.2.6 and 2.1.15 (New .zip file installations)

Magento Open Source Download Page > Download Tab

Magento Open Source 2.2.6 and 2.1.15 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/composer.html

Magento Open Source 2.2.6 and 2.1.15 (Composer upgrades)

https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source 2.2.6 and 2.1.15 (Developers contributing to the Open Source code base)

https://devdocs.magento.com/guides/v2.2/install-gde/install/cli/dev_options.html

APPSEC-2003: RCE via Varnish settings in admin
Type:General: Remote Code Execution
CVSSv3 Severity:9.8
Known Attacks:None
Description:

Admin user can read any file on server and can execute any commands through Varnish. Vulnerability is in the Magento 2.2 admin configuration settings for Varnish, where admin user can whitelist list of IPs (ACL) and download the customized Varnish configuration file to use it as full page cache.

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:magecraze
APPSEC-2094: Stored XSS - Website to Admin in Global Search
Type:General: Cross Site Scripting (stored)
CVSSv3 Severity:9.6
Known Attacks:None
Description:

A stored XSS vulnerability from website user targeting admin accounts has been discovered in all the Magento 2.x versions. It's really easy for an attacker to exploit this.

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:magecraze
APPSEC-2045: PHP Files Can Be Uploaded Via Custom Options
Type:General: Remote Code Execution
CVSSv3 Severity:8.9
Known Attacks:None
Description:

An attacker with limited admin privileges could create a new product (or update an existing product) to allow upload of PHP script via custom option, order that product (through the admin panel the total could be adjusted to $0.00) and upload an arbitrary PHP script as a custom option and then execute the PHP script via the browser to achieve RCE (again, in e.g. an nginx environment).

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:mpchadwick
APPSEC-2081: Magento is leaking customer address attribute data.
Type:Privilege Escalation & Enumeration: Information Exposure
CVSSv3 Severity:7.5
Known Attacks:None
Description:

Prevents Personal customer address data/customer address attributes from being leaked in Magento Commerce.

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:WeProvide
APPSEC-2027: Multiple CSRF (Website, Store, Store View deletion)
Type:General: Cross Site Request Forgery
CVSSv3 Severity:7.4
Known Attacks:None
Description:
Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:boskostan
APPSEC-2092: CSRF on Changing of orders status
Type:General: Cross Site Request Forgery
CVSSv3 Severity:6.8
Known Attacks:None
Description:

Cross site request forgery vulnerability that can change the status of orders. The attack is possible if an admin has the Add Secret Key to URLs disabled.

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:djordje-marjanovic
APPSEC-2006: Admin Stored XSS via Enterprise Logging
Type:General: Cross Site Scripting (stored)
CVSSv3 Severity:6.5
Known Attacks:None
Description:
Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:pocallaghan
APPSEC-2059: CSRF Mass Deletion of Customers
Type:General: Cross Site Request Forgery
CVSSv3 Severity:6.4
Known Attacks:None
Description:

Allows a deletion of single or all store customers. When a POST request that performs the deletion of customers is switched to GET, the lack of form_key parameter that serves as a CSRF token is completely ignored, allowing the request to be used in Cross-Site Request Forgery attacks.

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:boskostan
APPSEC-2058: CSRF Mass Deletion of Products
Type:CSRF Mass Deletion of Products
CVSSv3 Severity:6.4
Known Attacks:None
Description:

Allows a deletion of single or all store products. When a POST request that performs the deletion of products is switched to GET, the lack of form_key parameter that serves as a CSRF token is completely ignored, allowing the request to be used in Cross-Site Request Forgery attacks

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:boskostan
APPSEC-2037: Local file disclosure
Type:File Problems: Local File Inclusion
CVSSv3 Severity:6.1
Known Attacks:None
Description:

It is possible to achieve local file disclosure by accessing the log.php page.

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:mortis
APPSEC-2033: XSS When Viewing Catalog Product Link Widget Via Product Name
Type:General: Cross Site Scripting
CVSSv3 Severity:5.9
Known Attacks:None
Description:

XSS When Viewing Catalog Product Link Widget Via Product Name

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:mpchadwick
APPSEC-2031: XSS When Viewing Email Reminder Rule via Cart Price Rule Name
Type:General: Cross Site Scripting
CVSSv3 Severity:5.9
Known Attacks:None
Description:

XSS When Viewing Email Reminder Rule via Cart Price Rule Name

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:mpchadwick
APPSEC-1904: Stored Cross Site Scripting in Category Content
Type:General: Cross Site Scripting (stored)
CVSSv3 Severity:5
Known Attacks:None
Description:

Administrator can create category containing XSS payload that can be used to attack other administrators.

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:mortis
APPSEC-2032: XSS When Viewing Catalog Category Link Widget Via Category Name
Type:General: Cross Site Scripting
CVSSv3 Severity:5
Known Attacks:None
Description:

XSS When Viewing Catalog Category Link Widget Via Category Name

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:mpchadwick
APPSEC-2047: Customer orders viewable on frontend by other customers
Type:Privilege Escalation & Enumeration: Information Exposure
CVSSv3 Severity:4.8
Known Attacks:None
Description:

The blocks in the sales_order_print.xml layout in the Magento_Sales module is never set to private or non-cacheable. Therefore, if the full-page cache is enabled, and a signed-in user visits the print order page. Any other signed in user can visit that url and see their detailed order information.

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:AirmanAJK
APPSEC-2106: Product Video feature not GDPR compliant
Type:Compliance
CVSSv3 Severity:N/A
Known Attacks:None
Description:
Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:Internal
APPSEC-2011: Stored Cross-Site Scirpting (Product Video Uploader Name)
Type:General: Cross Site Scripting (stored)
CVSSv3 Severity:N/A
Known Attacks:None
Description:

When adding a Vimeo video to a product, Magento retrieves the name of the uploader from Vimeo but fails to sanitize the value for special characters allowing the name to be used in stored cross-site scripting attacks. If a lower privileged admin with access to products adds a video that is uploaded by a Vimeo user that has the name set to a malicious Javascript, an attack on higher privileged admins can be performed when viewing product videos.

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:boskostan
APPSEC-1902: Stored Cross Site Scripting in Product Content Short Description
Type:General: Cross Site Scripting (stored)
CVSSv3 Severity:N/A
Known Attacks:None
Description:

An authenticated user with permission: Products -> Inventory -> Catalog can create a product whose content short description contains an XSS payload which is rendered when previewed by the WYSIWYG Editor TinyMCE interface. User clicks on Products -> Catalog then add a new product or edit an existing one. Then the XSS payload is inserted in the WYSIWYG Editor under Content Short Description.

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:mortis
APPSEC-1903: Stored Cross Site Scripting in Product Content Description
Type:General: Cross Site Scripting (stored)
CVSSv3 Severity:N/A
Known Attacks:None
Description:

An authenticated user with permission: Products -> Inventory -> Catalog can create a product whose content description contains an XSS payload which is rendered when previewed by the WYSIWYG Editor TinyMCE interface.

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:mortis
APPSEC-1909: Admin account takeover via File upload information disclosure
Type:Privilege Escalation & Enumeration: Broken Authentication and Session Management
CVSSv3 Severity:N/A
Known Attacks:None
Description:

It is discovered that Magento reveals HTTPOnly admin session cookie in the response of successful file upload in admin. Because the response content type is JSON, it is possible that attacker can steal admin session cookie by exploiting any XSS present in admin panel. Vulnerable file upload sections are in CMS, Catalog and Downloadable modules.

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:magecraze
APPSEC-1950: Encrypted data is cached in decrypted form
Type:Privilege Escalation & Enumeration: Insecure Data Storage
CVSSv3 Severity:N/A
Known Attacks:None
Description:

Values that should be encrypted are stored in cache in decrypted state.

Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:Internal
APPSEC-1859: Reset password URL includes the customer ID
Type:Privilege Escalation & Enumeration
CVSSv3 Severity:N/A
Known Attacks:None
Description:

The reset password link for a customer account includes the customer ID. An attacker can use the customer ID to gain access to the customer account, despite the use of a token.

Product(s) Affected:Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10, Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888, Magento 2.1.15, Magento 2.2.6
Reporter:
APPSEC-2002: E-mail admin users when a new administrator is created
Type:Improvement
CVSSv3 Severity:N/A
Known Attacks:None
Description:

Helps detect recently created admin accounts. Email is sent when new administrator account is created.

Product(s) Affected:Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10, Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888, Magento 2.1.15, Magento 2.2.6
Reporter:Internal
APPSEC-1902: Stored Cross Site Scripting in Product Content Short Description
Type:General: Cross Site Scripting (stored)
CVSSv3 Severity:N/A
Known Attacks:None
Description:
Product(s) Affected:Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento 2.1.15, Magento 2.2.6
Reporter:mortis

Please refer to Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.