Magento 2.2.7 and 2.1.16 Security Update
November 28, 2018
Magento Commerce and Open Source 2.3.0, 2.2.7 and 2.1.16 contain multiple security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.
Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.3.0.
Please refer to Security Best Practices for additional information how to secure your site.
To download the releases, choose from the following options:
Partners:
Magento Commerce 2.3.0 (New .zip file installations) |
Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.0 |
Magento Commerce 2.2.7 (New .zip file installations) |
Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.7 |
Magento Commerce 2.1.16 (New .zip file installations) |
Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.16 |
Magento Commerce 2.3.0, 2.2.7 and 2.1.16 (New composer installations) |
https://devdocs.magento.com/guides/v2.2/install-gde/composer.html |
Magento Commerce 2.3.0, 2.2.7 and 2.1.16 (Composer upgrades) |
https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html |
Magento Commerce:
Magento Commerce 2.3.0 (New .zip file installations) |
My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.0 |
Magento Commerce 2.2.7 (New .zip file installations) |
My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.7 |
Magento Commerce 2.1.16 (New .zip file installations) |
My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.16 |
Magento Commerce 2.3.0, 2.2.7 and 2.1.16 (New composer installations) |
https://devdocs.magento.com/guides/v2.2/install-gde/composer.html |
Magento Commerce 2.3.0, 2.2.7 and 2.1.16 (Composer upgrades) |
https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html |
Magento Open Source:
Magento Open Source 2.3.0, 2.2.7 and 2.1.16 (New .zip file installations) |
Magento Open Source Download Page > Download Tab |
Magento Open Source 2.3.0, 2.2.7 and 2.1.16 (New composer installations) |
https://devdocs.magento.com/guides/v2.2/install-gde/composer.html |
Magento Open Source 2.3.0, 2.2.7 and 2.1.16 (Composer upgrades) |
https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html |
Magento Open Source 2.3.0, 2.2.7 and 2.1.16 (Developers contributing to the Open Source code base) |
https://devdocs.magento.com/guides/v2.2/install-gde/install/cli/dev_options.html |
PRODSECBUG-2122: PHP Object Injection (POI) and Remote Code Execution (RCE) in the Magento 2.1.15 Admin | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 9.1 |
Known Attacks: | none |
Description: | An administrator user with access the Braintree payment method configuration can trigger remote code execution though PHP object injection. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | convenient |
PRODSECBUG-2123: PHP Object Injection (POI) and Remote Code Execution (RCE) in the Admin | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 9.1 |
Known Attacks: | none |
Description: | An administrator with access to Varnish configuration settings and the design configuration can trigger remote code execution through PHP object instantiation. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | convenient |
PRODSECBUG-2160: Unauthorized File Upload via Customer Attributes | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 9.0 |
Known Attacks: | none |
Description: | |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | mpchadwick |
PRODSECBUG-2151: Remote Code Execution through Path Traversal | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.8 |
Known Attacks: | none |
Description: | Administrators with limited privileges can upload an unauthorized template using the path traversal capability. Although most forms do not authorize this type of upload, an attacker could create a product with a file custom options that accepts an unauthorized template file. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | Blaklis_ |
PRODSECBUG-2154: Remote Code Execution through the Admin | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.5 |
Known Attacks: | none |
Description: | A user can upload unauthorized files while creating a downloadable product. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | mortis |
PRODSECBUG-2057: Remote Code Execution in Upload of Quote File | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.5 |
Known Attacks: | none |
Description: | The upload settings for B2B quote files are vulnerable to remote code execution attacks. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | mpchadwick |
PRODSECBUG-2157: Remote Code Execution Vulnerability in Race Condition | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.5 |
Known Attacks: | none |
Description: | An unauthorized file download can be used to remotely execute code. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | mortis |
PRODSECBUG-2159: API-Based Remote Code Execution Vulnerability | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.5 |
Known Attacks: | none |
Description: | By activating an API that supports the ability to add products, a malicious user can send base64-encoded content to an unauthorized file and use it to remotely execute code. |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | sambecks |
PRODSECBUG-2156: Remote Code Execution through Unauthorized File Upload | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.5 |
Known Attacks: | none |
Description: | A user can upload unauthorized files while uploading videos. |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | sambecks |
PRODSECBUG-2148: Remote Code Execution and Arbitrary Move File | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.5 |
Known Attacks: | none |
Description: | A vulnerability in the Admin import feature permits a user to upload a file that they can subsequently use to remotely execute malicious code. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | sambecks |
PRODSECBUG-2153: Unauthorized read permissions through Email Templates | |
---|---|
Type: | Privilege Escalation |
CVSSv3 Severity: | 7.7 |
Known Attacks: | none |
Description: | Certain template directives permit users to write dynamic content. A malicious user could use special characters in this content to circumvent the CSS directive that allows the CSS file to be loaded directly to the body of the content. In turn, this permits content to be uploaded to various directories. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | Blaklis_ |
PRODSECBUG-2063: Bypass of Authorization Check by Unauthorized Users | |
---|---|
Type: | Privilege Escalation |
CVSSv3 Severity: | 7.2 |
Known Attacks: | none |
Description: | An unauthorized user can access user data by rendering arbitrary code blocks. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | mpchadwick |
PRODSECBUG-2143: Cross-Site Scripting in the Swagger Generator through Unsanitized URL Parameter | |
---|---|
Type: | Cross-Site Scripting (XSS) |
CVSSv3 Severity: | 7.1 |
Known Attacks: | none |
Description: | |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | careys7 |
PRODSECBUG-2113: Vulnerability in Customer Shopping Cart | |
---|---|
Type: | Cross-Site Scripting (XSS) |
CVSSv3 Severity: | 6.5 |
Known Attacks: | none |
Description: | The customer shopping cart and coupons are vulnerable to cross-site scripting attacks |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | mpchadwick |
PRODSECBUG-2030: Vulnerability in Staging Campaign Name | |
---|---|
Type: | Cross-Site Scripting (XSS) |
CVSSv3 Severity: | 6.5 |
Known Attacks: | none |
Description: | The name of a staging campaign provides an opportunity for cross-site scripting. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | mpchadwick |
PRODSECBUG-2053: Vulnerability in Newsletter Template | |
---|---|
Type: | Cross-Site Scripting (XSS) |
CVSSv3 Severity: | 6.5 |
Known Attacks: | none |
Description: | Newsletter template settings are vulnerable to cross-site scripting attacks. |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | NA |
PRODSECBUG-1726: Customer Gift Card Vulnerability | |
---|---|
Type: | Cross-Site Request Forgery (CSRF) |
CVSSv3 Severity: | 6.5 |
Known Attacks: | none |
Description: | Customer gift cards are vulnerable to brute-force and cross-site request forgery attacks during redeem gift card and check balance and sales actions. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | NA |
MAGETWO-91785: Vulnerability within Return Order Requests | |
---|---|
Type: | Cross-Site Request Forgery (CSRF) |
CVSSv3 Severity: | 6.3 |
Known Attacks: | none |
Description: | Return merchandise authorizations (RMA) are vulnerable to cross-site request forgeries. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | NA |
PRODSECBUG-2146: Remote Code Execution through the Product Media Upload in the Admin | |
---|---|
Type: | Cross-Site Scripting (XSS) |
CVSSv3 Severity: | 6.0 |
Known Attacks: | none |
Description: | A path traversal vulnerability permits folder creation at arbitrary locations and file deletion from arbitrary locations in the Admin product image/media upload area. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | magecraze |
MAGETWO-90725: Vulnerability in Admin Alert Message | |
---|---|
Type: | Cross-Site Scripting (XSS) |
CVSSv3 Severity: | 5.9 |
Known Attacks: | none |
Description: | The Admin alert message is vulnerable to cross-site scripting within the store configuration settings. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | NA |
PRODSECBUG-2138: Widget Based XSS Vulnerability | |
---|---|
Type: | Cross-Site Scripting (XSS) |
CVSSv3 Severity: | 5.8 |
Known Attacks: | none |
Description: | Prevents a remote attacker from inserting arbitrary codes. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | FortiGuard Labs |
PRODSECBUG-2126: Unauthorized Modification of the feed_url Configuration Setting | |
---|---|
Type: | Privilege Escalation |
CVSSv3 Severity: | 5.8 |
Known Attacks: | none |
Description: | An administrator can manipulate the notification feed configuration value by injecting form data while saving the system section of the store configuration settings. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | mpchadwick |
PRODSECBUG-2152: ACL Bypass of Shopping Cart Price Rules | |
---|---|
Type: | Privilege Escalation |
CVSSv3 Severity: | 5.4 |
Known Attacks: | none |
Description: | Users can bypass the permissions set in magento/module-promotion-permissions and perform create, update, and delete actions on promotional areas of the site. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | pocallaghan |
PRODSECBUG-2136: Stored Cross-Site Scripting (XSS) in Admin | |
---|---|
Type: | Cross-Site Scripting (XSS) |
CVSSv3 Severity: | 5.4 |
Known Attacks: | none |
Description: | Multiple functions used to sanitize user input for cross-site scripting contexts can be bypassed. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | simonscannell |
MAGETWO-94370: Customer Bypass of Restrictions | |
---|---|
Type: | Privilege Escalation |
CVSSv3 Severity: | 5.4 |
Known Attacks: | none |
Description: | Permits expected and proper view premissions of all customers for admins. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | NA |
PRODSECBUG-1883: Leakage of Custom PHP settings from .user.ini File | |
---|---|
Type: | Information Leakage (Internal) |
CVSSv3 Severity: | 5.3 |
Known Attacks: | none |
Description: | Access to certain private files is not protected. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | gwillem |
PRODSECBUG-2131: Bypass of Authorization Possible through Vulnerability in render_handle | |
---|---|
Type: | Privilege Escalation |
CVSSv3 Severity: | 5.0 |
Known Attacks: | none |
Description: | The Admin object does not check the privileges of the user making a request to confirm whether the user is authorized to view the resource being requested. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | mpchadwick |
PRODSECBUG-2071: Vulnerability in Cart | |
---|---|
Type: | Cross-Site Scripting (XSS) |
CVSSv3 Severity: | 4.8 |
Known Attacks: | none |
Description: | Shopping cart settings are vulnerable to reflected cross-site scripting. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | Jonathan Kingston |
PRODSECBUG-1917: Password Protection via External Auth Injection | |
---|---|
Type: | Information Disclosure / Leakage (Confidential or Restricted) |
CVSSv3 Severity: | 4.3 |
Known Attacks: | none |
Description: | Various media players provide opportunity for password leakage. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | todayisnew |
PRODSECBUG-1505: Vulnerability for Authenticated Users | |
---|---|
Type: | Cross-Site Request Forgery (CSRF) |
CVSSv3 Severity: | 4.3 |
Known Attacks: | none |
Description: | Authenticated users can use cross-site request forgeries to perform unauthorized actions. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | NA |
PRODSECBUG-2069: Vulnerability in Attribute Group Name | |
---|---|
Type: | Cross-Site Scripting (XSS) - reflected |
CVSSv3 Severity: | 4.2 |
Known Attacks: | none |
Description: | Reflected XSS can be inserted into an attribute group name in Admin > Stores > Attribute Set. |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | Magecraze |
PRODSECBUG-2088: CSRF Vulnerabilty related to Customer Group Deletion | |
---|---|
Type: | Cross-Site Request Forgery (CSRF) |
CVSSv3 Severity: | 4.2 |
Known Attacks: | none |
Description: | Prevents possible deletion of customer group information via escalated privilege |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | Djordje-marjanovic |
PRODSECBUG-2108: Outdated jQuery Causes PCI Scanning Failure | |
---|---|
Type: | Compliance Requirement |
CVSSv3 Severity: | 0.0 |
Known Attacks: | none |
Description: | |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | Internal Staff |
MAGETWO-95681: Cross Site Data Leakage | |
---|---|
Type: | Information Disclosure / Leakage (Confidential or Restricted) |
CVSSv3 Severity: | 4.3 |
Known Attacks: | none |
Description: | |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | NA |
MAG-12, MAG-2: Encryption Keys Stored in Plain Text | |
---|---|
Type: | Information Disclosure / Leakage (Confidential or Restricted) |
CVSSv3 Severity: | 0.0 |
Known Attacks: | none |
Description: | Encryption keys are not encrypted but are stored in plain text in backup files. |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | NA |
PRODSECBUG-2074: AngularJS and Setup Application are Vulnerable | |
---|---|
Type: | Compliance Requirement |
CVSSv3 Severity: | 0.0 |
Known Attacks: | none |
Description: | |
Product(s) Affected: | Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | NA |
Please refer to Security Best Practices for additional information on how to secure your site.
Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.