Magento 2.2.7 and 2.1.16 Security Update

An administrator user with access the Braintree payment method configuration can trigger remote code execution though PHP object injection.

An administrator with access to Varnish configuration settings and the design configuration can trigger remote code execution through PHP object instantiation.

Administrators with limited privileges can upload an unauthorized template using the path traversal capability. Although most forms do not authorize this type of upload, an attacker could create a product with a file custom options that accepts an unauthorized template file.

A user can upload unauthorized files while creating a downloadable product.

The upload settings for B2B quote files are vulnerable to remote code execution attacks.

An unauthorized file download can be used to remotely execute code.

By activating an API that supports the ability to add products, a malicious user can send base64-encoded content to an unauthorized file and use it to remotely execute code.

A user can upload unauthorized files while uploading videos.

A vulnerability in the Admin import feature permits a user to upload a file that they can subsequently use to remotely execute malicious code.

Certain template directives permit users to write dynamic content. A malicious user could use special characters in this content to circumvent the CSS directive that allows the CSS file to be loaded directly to the body of the content. In turn, this permits content to be uploaded to various directories.

An unauthorized user can access user data by rendering arbitrary code blocks.

The customer shopping cart and coupons are vulnerable to cross-site scripting attacks

The name of a staging campaign provides an opportunity for cross-site scripting.

Newsletter template settings are vulnerable to cross-site scripting attacks.

Customer gift cards are vulnerable to brute-force and cross-site request forgery attacks during redeem gift card and check balance and sales actions.

Return merchandise authorizations (RMA) are vulnerable to cross-site request forgeries.

A path traversal vulnerability permits folder creation at arbitrary locations and file deletion from arbitrary locations in the Admin product image/media upload area.

The Admin alert message is vulnerable to cross-site scripting within the store configuration settings.

Prevents a remote attacker from inserting arbitrary codes.

An administrator can manipulate the notification feed configuration value by injecting form data while saving the system section of the store configuration settings.

Users can bypass the permissions set in magento/module-promotion-permissions and perform create, update, and delete actions on promotional areas of the site.

Multiple functions used to sanitize user input for cross-site scripting contexts can be bypassed.

Permits expected and proper view premissions of all customers for admins.

Access to certain private files is not protected.

The Admin object does not check the privileges of the user making a request to confirm whether the user is authorized to view the resource being requested.

Shopping cart settings are vulnerable to reflected cross-site scripting.

Various media players provide opportunity for password leakage.

Authenticated users can use cross-site request forgeries to perform unauthorized actions.

Reflected XSS can be inserted into an attribute group name in Admin > Stores > Attribute Set.

Prevents possible deletion of customer group information via escalated privilege

Encryption keys are not encrypted but are stored in plain text in backup files.