New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Magento 2.3.1, 2.2.8 and 2.1.17 Security Update

March 26, 2019

Magento Commerce and Open Source 2.3.1, 2.2.8 and 2.1.17 contain multiple security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.

Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.3.1.

NOTE: A SQL injection vulnerability has been identified in pre-2.3.1 Magento code. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.

NOTE: Cloud customers can upgrade ECE-Tools to version 2002.0.17 to get this vulnerability in core application patched automatically. Infrastructure team added measures to block any currently known ways to exploit the vulnerability by adding additional WAF rules, which are deployed globally. Even though we have blocked known ways to exploit vulnerability, we strongly recommend to either upgrade ECE-Tools or apply the patch through m2-hotfixes.

See the description of PRODSECBUG-2198 below for information on this vulnerability. 

Please refer to Security Best Practices for additional information how to secure your site.

To download the releases, choose from the following options:

Partners:

Magento Commerce 2.3.1 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.1

Magento Commerce 2.2.8 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.8

Magento Commerce 2.1.17 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.17

Magento Commerce 2.3.1, 2.2.8 and 2.1.17 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/composer.html

Magento Commerce 2.3.1, 2.2.8 and 2.1.17 (Composer upgrades)

https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html

Magento Commerce:

Magento Commerce 2.3.1 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.1

Magento Commerce 2.2.8 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.8

Magento Commerce 2.1.17 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.17

Magento Commerce 2.3.1, 2.2.8 and 2.1.17 (New composer installations)

https://devdocs.magento.com/guides/v2.3/install-gde/composer.html

Magento Commerce 2.3.1, 2.2.8 and 2.1.17 (Composer upgrades)

https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source:

Magento Open Source 2.3.1, 2.2.8 and 2.1.17 (New .zip file installations)

Magento Open Source Download Page > Download Tab

Magento Open Source 2.3.1, 2.2.8 and 2.1.17 (New composer installations)

https://devdocs.magento.com/guides/v2.3/install-gde/composer.html

Magento Open Source 2.3.1, 2.2.8 and 2.1.17 (Composer upgrades)

https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source 2.3.1, 2.2.8 and 2.1.17 (Developers contributing to the Open Source code base)

https://devdocs.magento.com/guides/v2.3/install-gde/install/cli/dev_options.html

PRODSECBUG-2192: Remote code execution though crafted newsletter and email templates
Type:General: Remote Code Execution
CVSSv3 Severity:9.8
Known Attacks:none
Description:

An authenticated user with privileges to create newsletter or email templates can execute arbitrary code through crafted newsletter or email template code.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:DDV_UA
PRODSECBUG-2287: Remote code execution through email template
Type:General: Remote Code Execution
CVSSv3 Severity:9.1
Known Attacks:none
Description:

An authenticated user with administrative privileges can execute arbitrary code through email templates

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:valis_
PRODSECBUG-2236: SQL Injection and cross-site scripting vulnerability in Catalog section (XSS)
Type:Injections: SQL
CVSSv3 Severity:9
Known Attacks:none
Description:

An authenticated user can embed malicious code through a stored cross-site scripting vulnerability or an SQL injection vulnerability in the Catalog section by manipulating attribute_code.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Pete O'Callaghan
PRODSECBUG-2198: SQL Injection vulnerability through an unauthenticated user
Type:Injections: SQL
CVSSv3 Severity:9
Known Attacks:none
Description:

An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage. NOTE: This patch is not included in 2.1.17. Please apply PRODSECBUG-2198 patch in addition to upgrade to 2.1.17.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.2.8, Magento 2.3.1
Reporter:cfreal
PRODSECBUG-2261: Arbitrary code execution due to unsafe deserialization of a PHP archive
Type:General: Remote Code Execution
CVSSv3 Severity:8.5
Known Attacks:none
Description:

An authenticated user with administrative privileges can execute arbitrary code through a Phar deserialization vulnerability.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Simon Scannell
PRODSECBUG-2263: Arbitrary code execution due to the unsafe handling of an API call to a core bundled extension. (Magento Shipping)
Type:General: Remote Code Execution
CVSSv3 Severity:8.5
Known Attacks:none
Description:

An authenticated user with privileges to configure store settings can execute arbitrary code execution through server-side request forgery.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Max Chadwick
PRODSECBUG-2256: Arbitrary code execution due to unsafe deserialization of a PHP Archive
Type:General: Remote Code Execution
CVSSv3 Severity:8.5
Known Attacks:none
Description:

An authenticated user with privileges to configure email templates can execute arbitrary code via a PHP archive deserialization vulnerability.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Simon Scannell
PRODSECBUG-2165: Sensitive data disclosure due to NGINX configuration's regular expressions not being restricted to the explicit directories
Type:Information Disclousure
CVSSv3 Severity:8.5
Known Attacks:none
Description:

An authenticated userwith administrative privileges can upload PHP files to access sensitive data because NGINX configuration allows PHP files to be executed in any directory.

Product(s) Affected:Magento 2.1 prior to 2.1.17
Fixed In:Magento 2.1.17
Reporter:Kieren Evans
PRODSECBUG-2053: Cross Site Scripting in newsletter template name
Type:General: Cross Site Scripting
CVSSv3 Severity:6.6
Known Attacks:none
Description:

An authenticated user with administrative privileges can embed arbitrary code when editing the Newsletter section of the admin panel.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:internal
PRODSECBUG-2181: Stored cross-site scripting in the Admin Customer Segments area
Type:General: Cross Site Scripting
CVSSv3 Severity:6.5
Known Attacks:none
Description:

An authenticated user with privileges to the Customer Segments section of the Admin can use a stored cross site scripting vulnerability to embed malicious code.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:magecraze
PRODSECBUG-2207: Unauthorized implementation due to bypassing the need for administrator authentication approval on B2B accounts
Type:Privilege Escalation
CVSSv3 Severity:6.5
Known Attacks:none
Description:

An authenticated user can create a B2B account without administrative approval due to an authentication bypass vulnerability.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:craig-gene
PRODSECBUG-2162: Unauthorized data control due to a bypass of authentication controls for a customer using a web API endpoint
Type:Privilege Escalation & Enumeration: Insecure Direct Object Reference
CVSSv3 Severity:6.4
Known Attacks:none
Description:

An authenticated customer can control other customer's requistion lists by using a web API endpoint to send a request to the server. (This overrides the customer_id parameter.)

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Brian LaBelle
PRODSECBUG-2277: SQL injection due to inadequate validation of user input
Type:Injections: SQL
CVSSv3 Severity:6.4
Known Attacks:none
Description:

An authenticated user with privileges to configure email templatescan execute arbitrary SQL queries.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Blaklis_
PRODSECBUG-2134: Reflected cross-site scripting vulnerability in the Admin through the requisition list ID
Type:General: Cross Site Scripting
CVSSv3 Severity:6.3
Known Attacks:none
Description:

An authenticated user with privileges to the Admin requisition list ID can use a cross-site scripting vulnerability to embed malicious code.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Pete O'Callaghan
PRODSECBUG-2178: Stored cross-site scripting in the admin panel via the Admin Shopping Cart Rules page
Type:General: Cross Site Scripting
CVSSv3 Severity:5.8
Known Attacks:none
Description:

An authenticated user with administrative privileges can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:magecraze
PRODSECBUG-2195: Deletion of a product attribute through cross-site request forgery
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.8
Known Attacks:none
Description:

An attacker can delete a product attribute within the context of authenticated administrator's session through cross-site request forgery.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:djordje-marjanovic
PRODSECBUG-2140: Site map deletion through cross-site request forgery
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.8
Known Attacks:none
Description:

An attacker can delete the site map within the context of an authenticated administrator's session through cross-site request forgery.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:djordje-marjanovic
PRODSECBUG-2130: Deletion of synonym groups through a cross-site request forgery vulnerability
Type:General: Cross Site Scripting
CVSSv3 Severity:5.7
Known Attacks:none
Description:

An attacker can delete all synonyms groups within the context of an authenticated administrator's session through cross-site request forgery.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:djordje-marjanovic
PRODSECBUG-2184: Stored cross-site scripting in the admin panel via the Terms & Conditions with Checkbox Text field in the admin panel.
Type:General: Cross Site Scripting
CVSSv3 Severity:5.7
Known Attacks:none
Description:

An authenticated user with administrative privileges can embed arbitrary code via a stored cross site scripting vulnerability in the Terms & Conditions with Checkbox Text field in the admin panel.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:magecraze
PRODSECBUG-2097: Stored cross-site scripting in the Admin through the Admin Notification function
Type:General: Cross Site Scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

An authenticated user with privileges to edit the Admin notification section can use a stored cross-site scripting vulnerability to embed malicious code.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:wiardvanrij
PRODSECBUG-2043: Stored cross-site scripting vulnerability in Admin product names
Type:General: Cross Site Scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

An authenticated user with privileges to product name fields on the Admin can use stored cros-site scripting vulnerability to embed malicious code.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Max Chadwick
PRODSECBUG-2135: Stored cross-site scripting in the Admin through B2B packages
Type:General: Cross Site Scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

An authenticated user with privileges to the B2B packages through an unsanitized URL parameter can use a stored cross-site scripting vulnerability to embed malicious code.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Pete O'Callaghan
PRODSECBUG-2028: Stored cross-site scripting vulnerability in the Admin **Stores** > **Attributes** > **Product **configuration area
Type:General: Cross Site Scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

An authenticated user with privileges to the Admin **Stores** > **Attributes** > **Product ** configuration area can use a stored cross-site scripting vulnerability to embed malicious code.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Luke Rodgers
PRODSECBUG-2038: Stored cross-site scripting vulnerability in the Admin through the Checkbox Custom Option Value field
Type:General: Cross Site Scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

An authenticated user with privileges to the Checkbox Custom Option Value field on the Admin can use a stored cross-site scripting vulnerability to embed malicious code.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Max Chadwick
PRODSECBUG-2133: Stored cross-site scripting vulnerability in the Admin through B2B packages
Type:General: Cross Site Scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

An authenticated user with privileges to B2B packages through an unsanitized URL parameter can use a stored cross-site scripting vulnerability to embed malicious code.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Pete O'Callaghan
PRODSECBUG-2229: Stored cross-site scripting in the admin panel via the Attribute Label for Media Attributes section
Type:General: Cross Site Scripting
CVSSv3 Severity:5.4
Known Attacks:none
Description:

An authenticated user with administrative privileges can embed malicious code in the Attribute Label for Media Attributes section in the admin panel

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Max Chadwick
PRODSECBUG-2126: Reflected cross-site scripting through manipulation of the Admin notification feed URL.
Type:General: Cross Site Scripting
CVSSv3 Severity:5.4
Known Attacks:none
Description:

An authenticated user with administrative privileges can manipulate the notification feed , which allows an attacker to use a cross-site scripting vulnerability to embed malicious code.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Max Chadwick
PRODSECBUG-2035: Stored cross-site scripting in the Admin Catalog configuration section
Type:General: Cross Site Scripting
CVSSv3 Severity:5.4
Known Attacks:none
Description:

An authenticated user with privileges to the Admin **Products** > **Catalog** configuration section can use a stored cross-site scripting vulnerability to embed malicious code.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Max Chadwick
PRODSECBUG-2168: Stored cross-site scripting in the Admin panel through the product configurations section
Type:General: Cross Site Scripting
CVSSv3 Severity:5.4
Known Attacks:none
Description:

An authenticated user with privileges to the Admin product configurations section can use a stored cross-site scripting vulnerability to embed malicious code.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Zhouyuan Yang of Fortinet's FortiGuard Labs
PRODSECBUG-1985: WYSIWYG
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.4
Known Attacks:none
Description:

An attacker can delete the content of wyswig directory within the context of authenticated administrator's session via cross-site request forgery.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:boskostan
PRODSECBUG-2104: Missing CAPTCHA on Send to a friend page
Type:Other
CVSSv3 Severity:5.3
Known Attacks:none
Description:

Send to a friend page can be used for spamming due to missing CAPTCHA

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:support
PRODSECBUG-1883: Information disclosure in Magento 2.x default configuration
Type:Privilege Escalation & Enumeration: Insecure Direct Object Reference
CVSSv3 Severity:5.3
Known Attacks:none
Description:

Magento 2.x default configuration allows public access to custom PHP settings.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Willem de Groot
PRODSECBUG-2228: Sensitive Data Disclosure due toInsecure Direct Object References vulnerability
Type:Privilege Escalation & Enumeration: Insecure Direct Object Reference
CVSSv3 Severity:5.3
Known Attacks:none
Description:

An authenticated user canview Personally identifiable details of another user via exploiting an Insecure Direct Object References vulnerability

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:jealousbat
PRODSECBUG-2019: Spam using share a wishlist functionality
Type:Other
CVSSv3 Severity:4.8
Known Attacks:none
Description:
Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:community
PRODSECBUG-2197: Admin credentials are logged in exception reports
Type:Information Disclousure
CVSSv3 Severity:3.9
Known Attacks:none
Description:

Exception error reports capture administrative credentials in clear text format

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:magecraze, Matt Hamm
PRODSECBUG-2213: Unauthorized access to wishlist via Insecure direct object reference in the application.
Type:Privilege Escalation & Enumeration: Insecure Direct Object Reference
CVSSv3 Severity:3.7
Known Attacks:none
Description:

An authenticated user can enumerate and access unauthorized wishlist via insecure direct object reference in the application.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Roberto Suggi Liverani
PRODSECBUG-2016: HTML injection vulnerability due to insufficient data validation
Type:Injections: Other
CVSSv3 Severity:3.1
Known Attacks:none
Description:

An authenticated user can add and execute a malicious script on an HTML page through a vulnerable CLI command due to lack ofdata validation.

Product(s) Affected:Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:scottsb

Please refer to Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.