New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Magento 2.2.7 and 2.1.16 Security Update

November 28, 2018

Magento Commerce and Open Source 2.3.0, 2.2.7 and 2.1.16 contain multiple security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.

Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.3.0.

Please refer to Security Best Practices for additional information how to secure your site.

To download the releases, choose from the following options:

Partners:

Magento Commerce 2.3.0 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.0

Magento Commerce 2.2.7 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.7

Magento Commerce 2.1.16 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.16

Magento Commerce 2.3.0, 2.2.7 and 2.1.16 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/composer.html

Magento Commerce 2.3.0, 2.2.7 and 2.1.16 (Composer upgrades)

https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html

Magento Commerce:

Magento Commerce 2.3.0 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.0

Magento Commerce 2.2.7 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.7

Magento Commerce 2.1.16 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.16

Magento Commerce 2.3.0, 2.2.7 and 2.1.16 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/composer.html

Magento Commerce 2.3.0, 2.2.7 and 2.1.16 (Composer upgrades)

https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source:

Magento Open Source 2.3.0, 2.2.7 and 2.1.16 (New .zip file installations)

Magento Open Source Download Page > Download Tab

Magento Open Source 2.3.0, 2.2.7 and 2.1.16 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/composer.html

Magento Open Source 2.3.0, 2.2.7 and 2.1.16 (Composer upgrades)

https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source 2.3.0, 2.2.7 and 2.1.16 (Developers contributing to the Open Source code base)

https://devdocs.magento.com/guides/v2.2/install-gde/install/cli/dev_options.html

PRODSECBUG-2122: PHP Object Injection (POI) and Remote Code Execution (RCE) in the Magento 2.1.15 Admin
Type:Remote Code Execution (RCE)
CVSSv3 Severity:9.1
Known Attacks:none
Description:

An administrator user with access the Braintree payment method configuration can trigger remote code execution though PHP object injection.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:convenient
PRODSECBUG-2123: PHP Object Injection (POI) and Remote Code Execution (RCE) in the Admin
Type:Remote Code Execution (RCE)
CVSSv3 Severity:9.1
Known Attacks:none
Description:

An administrator with access to Varnish configuration settings and the design configuration can trigger remote code execution through PHP object instantiation.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:convenient
PRODSECBUG-2160: Unauthorized File Upload via Customer Attributes
Type:Remote Code Execution (RCE)
CVSSv3 Severity:9.0
Known Attacks:none
Description:
Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:mpchadwick
PRODSECBUG-2151: Remote Code Execution through Path Traversal
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.8
Known Attacks:none
Description:

Administrators with limited privileges can upload an unauthorized template using the path traversal capability. Although most forms do not authorize this type of upload, an attacker could create a product with a file custom options that accepts an unauthorized template file.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:Blaklis_
PRODSECBUG-2154: Remote Code Execution through the Admin
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.5
Known Attacks:none
Description:

A user can upload unauthorized files while creating a downloadable product.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:sambecks
PRODSECBUG-2057: Remote Code Execution in Upload of Quote File
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.5
Known Attacks:none
Description:

The upload settings for B2B quote files are vulnerable to remote code execution attacks.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:mpchadwick
PRODSECBUG-2157: Remote Code Execution Vulnerability in Race Condition
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.5
Known Attacks:none
Description:

An unauthorized file download can be used to remotely execute code.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:mortis
PRODSECBUG-2159: API-Based Remote Code Execution Vulnerability
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.5
Known Attacks:none
Description:

By activating an API that supports the ability to add products, a malicious user can send base64-encoded content to an unauthorized file and use it to remotely execute code.

Product(s) Affected:Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:sambecks
PRODSECBUG-2156: Remote Code Execution through Unauthorized File Upload
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.5
Known Attacks:none
Description:

A user can upload unauthorized files while uploading videos.

Product(s) Affected:Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:mortis
PRODSECBUG-2148: Remote Code Execution and Arbitrary Move File
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.5
Known Attacks:none
Description:

A vulnerability in the Admin import feature permits a user to upload a file that they can subsequently use to remotely execute malicious code.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:sambecks
PRODSECBUG-2153: Unauthorized read permissions through Email Templates
Type:Privilege Escalation
CVSSv3 Severity:7.7
Known Attacks:none
Description:

Certain template directives permit users to write dynamic content. A malicious user could use special characters in this content to circumvent the CSS directive that allows the CSS file to be loaded directly to the body of the content. In turn, this permits content to be uploaded to various directories.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:Blaklis_
PRODSECBUG-2063: Bypass of Authorization Check by Unauthorized Users
Type:Privilege Escalation
CVSSv3 Severity:7.2
Known Attacks:none
Description:

An unauthorized user can access user data by rendering arbitrary code blocks.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:mpchadwick
PRODSECBUG-2143: Cross-Site Scripting in the Swagger Generator through Unsanitized URL Parameter
Type:Cross-Site Scripting (XSS)
CVSSv3 Severity:7.1
Known Attacks:none
Description:
Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:careys7
PRODSECBUG-2113: Vulnerability in Customer Shopping Cart
Type:Cross-Site Scripting (XSS)
CVSSv3 Severity:6.5
Known Attacks:none
Description:

The customer shopping cart and coupons are vulnerable to cross-site scripting attacks

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:mpchadwick
PRODSECBUG-2030: Vulnerability in Staging Campaign Name
Type:Cross-Site Scripting (XSS)
CVSSv3 Severity:6.5
Known Attacks:none
Description:

The name of a staging campaign provides an opportunity for cross-site scripting.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:mpchadwick
PRODSECBUG-2053: Vulnerability in Newsletter Template
Type:Cross-Site Scripting (XSS)
CVSSv3 Severity:6.5
Known Attacks:none
Description:

Newsletter template settings are vulnerable to cross-site scripting attacks.

Product(s) Affected:Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:NA
PRODSECBUG-1726: Customer Gift Card Vulnerability
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:6.5
Known Attacks:none
Description:

Customer gift cards are vulnerable to brute-force and cross-site request forgery attacks during redeem gift card and check balance and sales actions.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:NA
MAGETWO-91785: Vulnerability within Return Order Requests
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:6.3
Known Attacks:none
Description:

Return merchandise authorizations (RMA) are vulnerable to cross-site request forgeries.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:NA
PRODSECBUG-2146: Remote Code Execution through the Product Media Upload in the Admin
Type:Cross-Site Scripting (XSS)
CVSSv3 Severity:6.0
Known Attacks:none
Description:

A path traversal vulnerability permits folder creation at arbitrary locations and file deletion from arbitrary locations in the Admin product image/media upload area.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:magecraze
MAGETWO-90725: Vulnerability in Admin Alert Message
Type:Cross-Site Scripting (XSS)
CVSSv3 Severity:5.9
Known Attacks:none
Description:

The Admin alert message is vulnerable to cross-site scripting within the store configuration settings.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:NA
PRODSECBUG-2138: Widget Based XSS Vulnerability
Type:Cross-Site Scripting (XSS)
CVSSv3 Severity:5.8
Known Attacks:none
Description:

Prevents a remote attacker from inserting arbitrary codes.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:FortiGuard Labs
PRODSECBUG-2126: Unauthorized Modification of the feed_url Configuration Setting
Type:Privilege Escalation
CVSSv3 Severity:5.8
Known Attacks:none
Description:

An administrator can manipulate the notification feed configuration value by injecting form data while saving the system section of the store configuration settings.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:mpchadwick
PRODSECBUG-2152: ACL Bypass of Shopping Cart Price Rules
Type:Privilege Escalation
CVSSv3 Severity:5.4
Known Attacks:none
Description:

Users can bypass the permissions set in magento/module-promotion-permissions and perform create, update, and delete actions on promotional areas of the site.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:pocallaghan
PRODSECBUG-2136: Stored Cross-Site Scripting (XSS) in Admin
Type:Cross-Site Scripting (XSS)
CVSSv3 Severity:5.4
Known Attacks:none
Description:

Multiple functions used to sanitize user input for cross-site scripting contexts can be bypassed.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:simonscannell
MAGETWO-94370: Customer Bypass of Restrictions
Type:Privilege Escalation
CVSSv3 Severity:5.4
Known Attacks:none
Description:

Permits expected and proper view premissions of all customers for admins.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:NA
PRODSECBUG-1883: Leakage of Custom PHP settings from .user.ini File
Type:Information Leakage (Internal)
CVSSv3 Severity:5.3
Known Attacks:none
Description:

Access to certain private files is not protected.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:gwillem
PRODSECBUG-2131: Bypass of Authorization Possible through Vulnerability in render_handle
Type:Privilege Escalation
CVSSv3 Severity:5.0
Known Attacks:none
Description:

The Admin object does not check the privileges of the user making a request to confirm whether the user is authorized to view the resource being requested.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:mpchadwick
PRODSECBUG-2071: Vulnerability in Cart
Type:Cross-Site Scripting (XSS)
CVSSv3 Severity:4.8
Known Attacks:none
Description:

Shopping cart settings are vulnerable to reflected cross-site scripting.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:Jonathan Kingston
PRODSECBUG-1917: Password Protection via External Auth Injection
Type:Information Disclosure / Leakage (Confidential or Restricted)
CVSSv3 Severity:4.3
Known Attacks:none
Description:

Various media players provide opportunity for password leakage.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:todayisnew
PRODSECBUG-1505: Vulnerability for Authenticated Users
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:4.3
Known Attacks:none
Description:

Authenticated users can use cross-site request forgeries to perform unauthorized actions.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:NA
PRODSECBUG-2069: Vulnerability in Attribute Group Name
Type:Cross-Site Scripting (XSS) - reflected
CVSSv3 Severity:4.2
Known Attacks:none
Description:

Reflected XSS can be inserted into an attribute group name in Admin > Stores > Attribute Set.

Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:Magecraze
PRODSECBUG-2088: CSRF Vulnerabilty related to Customer Group Deletion
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:4.2
Known Attacks:none
Description:

Prevents possible deletion of customer group information via escalated privilege

Product(s) Affected:Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:Djordje-marjanovic
PRODSECBUG-2108: Outdated jQuery Causes PCI Scanning Failure
Type:Compliance Requirement
CVSSv3 Severity:0.0
Known Attacks:none
Description:
Product(s) Affected:Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:Internal Staff
MAGETWO-95681: Cross Site Data Leakage
Type:Information Disclosure / Leakage (Confidential or Restricted)
CVSSv3 Severity:4.3
Known Attacks:none
Description:
Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:NA
MAG-12, MAG-2: Encryption Keys Stored in Plain Text
Type:Information Disclosure / Leakage (Confidential or Restricted)
CVSSv3 Severity:0.0
Known Attacks:none
Description:

Encryption keys are not encrypted but are stored in plain text in backup files.

Product(s) Affected:Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:NA
PRODSECBUG-2074: AngularJS and Setup Application are Vulnerable
Type:Compliance Requirement
CVSSv3 Severity:0.0
Known Attacks:none
Description:
Product(s) Affected:Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7
Fixed In:Magento 2.1.16, Magento 2.2.7, Magento 2.3.0
Reporter:NA

Please refer to Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.