Magento 2.3.1, 2.2.8 and 2.1.17 Security Update
March 26, 2019
Magento Commerce and Open Source 2.3.1, 2.2.8 and 2.1.17 contain multiple security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.
Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.3.1.
NOTE: A SQL injection vulnerability has been identified in pre-2.3.1 Magento code. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.
NOTE: Cloud customers can upgrade ECE-Tools to version 2002.0.17 to get this vulnerability in core application patched automatically. Infrastructure team added measures to block any currently known ways to exploit the vulnerability by adding additional WAF rules, which are deployed globally. Even though we have blocked known ways to exploit vulnerability, we strongly recommend to either upgrade ECE-Tools or apply the patch through m2-hotfixes.
See the description of PRODSECBUG-2198 below for information on this vulnerability.
Please refer to Security Best Practices for additional information how to secure your site.
To download the releases, choose from the following options:
Partners:
|
Magento Commerce 2.3.1 (New .zip file installations) |
Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.1 |
|
Magento Commerce 2.2.8 (New .zip file installations) |
Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.8 |
|
Magento Commerce 2.1.17 (New .zip file installations) |
Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.17 |
|
Magento Commerce 2.3.1, 2.2.8 and 2.1.17 (New composer installations) |
https://devdocs.magento.com/guides/v2.2/install-gde/composer.html |
|
Magento Commerce 2.3.1, 2.2.8 and 2.1.17 (Composer upgrades) |
https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html |
Magento Commerce:
|
Magento Commerce 2.3.1 (New .zip file installations) |
My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.1 |
|
Magento Commerce 2.2.8 (New .zip file installations) |
My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.8 |
|
Magento Commerce 2.1.17 (New .zip file installations) |
My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.17 |
|
Magento Commerce 2.3.1, 2.2.8 and 2.1.17 (New composer installations) |
https://devdocs.magento.com/guides/v2.3/install-gde/composer.html |
|
Magento Commerce 2.3.1, 2.2.8 and 2.1.17 (Composer upgrades) |
https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html |
Magento Open Source:
|
Magento Open Source 2.3.1, 2.2.8 and 2.1.17 (New .zip file installations) |
Magento Open Source Download Page > Download Tab |
|
Magento Open Source 2.3.1, 2.2.8 and 2.1.17 (New composer installations) |
https://devdocs.magento.com/guides/v2.3/install-gde/composer.html |
|
Magento Open Source 2.3.1, 2.2.8 and 2.1.17 (Composer upgrades) |
https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html |
|
Magento Open Source 2.3.1, 2.2.8 and 2.1.17 (Developers contributing to the Open Source code base) |
https://devdocs.magento.com/guides/v2.3/install-gde/install/cli/dev_options.html |
| PRODSECBUG-2192: Remote code execution though crafted newsletter and email templates | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.8 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to create newsletter or email templates can execute arbitrary code through crafted newsletter or email template code. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | DDV_UA |
| PRODSECBUG-2287: Remote code execution through email template | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | none |
| Description: | An authenticated user with administrative privileges can execute arbitrary code through email templates |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | valis_ |
| PRODSECBUG-2236: SQL Injection and cross-site scripting vulnerability in Catalog section (XSS) | |
|---|---|
| Type: | Injections: SQL |
| CVSSv3 Severity: | 9 |
| Known Attacks: | none |
| Description: | An authenticated user can embed malicious code through a stored cross-site scripting vulnerability or an SQL injection vulnerability in the Catalog section by manipulating attribute_code. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Pete O'Callaghan |
| PRODSECBUG-2198: SQL Injection vulnerability through an unauthenticated user | |
|---|---|
| Type: | Injections: SQL |
| CVSSv3 Severity: | 9 |
| Known Attacks: | none |
| Description: | An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage. NOTE: This patch is not included in 2.1.17. Please apply PRODSECBUG-2198 patch in addition to upgrade to 2.1.17. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | cfreal |
| PRODSECBUG-2261: Arbitrary code execution due to unsafe deserialization of a PHP archive | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.5 |
| Known Attacks: | none |
| Description: | An authenticated user with administrative privileges can execute arbitrary code through a Phar deserialization vulnerability. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Simon Scannell |
| PRODSECBUG-2263: Arbitrary code execution due to the unsafe handling of an API call to a core bundled extension. (Magento Shipping) | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to configure store settings can execute arbitrary code execution through server-side request forgery. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2256: Arbitrary code execution due to unsafe deserialization of a PHP Archive | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to configure email templates can execute arbitrary code via a PHP archive deserialization vulnerability. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Simon Scannell |
| PRODSECBUG-2165: Sensitive data disclosure due to NGINX configuration's regular expressions not being restricted to the explicit directories | |
|---|---|
| Type: | Information Disclousure |
| CVSSv3 Severity: | 8.5 |
| Known Attacks: | none |
| Description: | An authenticated userwith administrative privileges can upload PHP files to access sensitive data because NGINX configuration allows PHP files to be executed in any directory. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17 |
| Fixed In: | Magento 2.1.17 |
| Reporter: | Kieren Evans |
| PRODSECBUG-2053: Cross Site Scripting in newsletter template name | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 6.6 |
| Known Attacks: | none |
| Description: | An authenticated user with administrative privileges can embed arbitrary code when editing the Newsletter section of the admin panel. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | internal |
| PRODSECBUG-2181: Stored cross-site scripting in the Admin Customer Segments area | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 6.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to the Customer Segments section of the Admin can use a stored cross site scripting vulnerability to embed malicious code. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | magecraze |
| PRODSECBUG-2207: Unauthorized implementation due to bypassing the need for administrator authentication approval on B2B accounts | |
|---|---|
| Type: | Privilege Escalation |
| CVSSv3 Severity: | 6.5 |
| Known Attacks: | none |
| Description: | An authenticated user can create a B2B account without administrative approval due to an authentication bypass vulnerability. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | craig-gene |
| PRODSECBUG-2162: Unauthorized data control due to a bypass of authentication controls for a customer using a web API endpoint | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Insecure Direct Object Reference |
| CVSSv3 Severity: | 6.4 |
| Known Attacks: | none |
| Description: | An authenticated customer can control other customer's requistion lists by using a web API endpoint to send a request to the server. (This overrides the customer_id parameter.) |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Brian LaBelle |
| PRODSECBUG-2277: SQL injection due to inadequate validation of user input | |
|---|---|
| Type: | Injections: SQL |
| CVSSv3 Severity: | 6.4 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to configure email templatescan execute arbitrary SQL queries. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Blaklis_ |
| PRODSECBUG-2134: Reflected cross-site scripting vulnerability in the Admin through the requisition list ID | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 6.3 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to the Admin requisition list ID can use a cross-site scripting vulnerability to embed malicious code. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Pete O'Callaghan |
| PRODSECBUG-2178: Stored cross-site scripting in the admin panel via the Admin Shopping Cart Rules page | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | none |
| Description: | An authenticated user with administrative privileges can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | magecraze |
| PRODSECBUG-2195: Deletion of a product attribute through cross-site request forgery | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | none |
| Description: | An attacker can delete a product attribute within the context of authenticated administrator's session through cross-site request forgery. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | djordje-marjanovic |
| PRODSECBUG-2140: Site map deletion through cross-site request forgery | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | none |
| Description: | An attacker can delete the site map within the context of an authenticated administrator's session through cross-site request forgery. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | djordje-marjanovic |
| PRODSECBUG-2130: Deletion of synonym groups through a cross-site request forgery vulnerability | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.7 |
| Known Attacks: | none |
| Description: | An attacker can delete all synonyms groups within the context of an authenticated administrator's session through cross-site request forgery. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | djordje-marjanovic |
| PRODSECBUG-2184: Stored cross-site scripting in the admin panel via the Terms & Conditions with Checkbox Text field in the admin panel. | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.7 |
| Known Attacks: | none |
| Description: | An authenticated user with administrative privileges can embed arbitrary code via a stored cross site scripting vulnerability in the Terms & Conditions with Checkbox Text field in the admin panel. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | magecraze |
| PRODSECBUG-2097: Stored cross-site scripting in the Admin through the Admin Notification function | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to edit the Admin notification section can use a stored cross-site scripting vulnerability to embed malicious code. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | wiardvanrij |
| PRODSECBUG-2043: Stored cross-site scripting vulnerability in Admin product names | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to product name fields on the Admin can use stored cros-site scripting vulnerability to embed malicious code. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2135: Stored cross-site scripting in the Admin through B2B packages | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to the B2B packages through an unsanitized URL parameter can use a stored cross-site scripting vulnerability to embed malicious code. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Pete O'Callaghan |
| PRODSECBUG-2028: Stored cross-site scripting vulnerability in the Admin **Stores** > **Attributes** > **Product **configuration area | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to the Admin **Stores** > **Attributes** > **Product ** configuration area can use a stored cross-site scripting vulnerability to embed malicious code. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Luke Rodgers |
| PRODSECBUG-2038: Stored cross-site scripting vulnerability in the Admin through the Checkbox Custom Option Value field | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to the Checkbox Custom Option Value field on the Admin can use a stored cross-site scripting vulnerability to embed malicious code. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2133: Stored cross-site scripting vulnerability in the Admin through B2B packages | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to B2B packages through an unsanitized URL parameter can use a stored cross-site scripting vulnerability to embed malicious code. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Pete O'Callaghan |
| PRODSECBUG-2229: Stored cross-site scripting in the admin panel via the Attribute Label for Media Attributes section | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.4 |
| Known Attacks: | none |
| Description: | An authenticated user with administrative privileges can embed malicious code in the Attribute Label for Media Attributes section in the admin panel |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2126: Reflected cross-site scripting through manipulation of the Admin notification feed URL. | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.4 |
| Known Attacks: | none |
| Description: | An authenticated user with administrative privileges can manipulate the notification feed , which allows an attacker to use a cross-site scripting vulnerability to embed malicious code. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2035: Stored cross-site scripting in the Admin Catalog configuration section | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.4 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to the Admin **Products** > **Catalog** configuration section can use a stored cross-site scripting vulnerability to embed malicious code. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2168: Stored cross-site scripting in the Admin panel through the product configurations section | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.4 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to the Admin product configurations section can use a stored cross-site scripting vulnerability to embed malicious code. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Zhouyuan Yang of Fortinet's FortiGuard Labs |
| PRODSECBUG-1985: WYSIWYG | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.4 |
| Known Attacks: | none |
| Description: | An attacker can delete the content of wyswig directory within the context of authenticated administrator's session via cross-site request forgery. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | boskostan |
| PRODSECBUG-2104: Missing CAPTCHA on Send to a friend page | |
|---|---|
| Type: | Other |
| CVSSv3 Severity: | 5.3 |
| Known Attacks: | none |
| Description: | Send to a friend page can be used for spamming due to missing CAPTCHA |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | support |
| PRODSECBUG-1883: Information disclosure in Magento 2.x default configuration | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Insecure Direct Object Reference |
| CVSSv3 Severity: | 5.3 |
| Known Attacks: | none |
| Description: | Magento 2.x default configuration allows public access to custom PHP settings. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Willem de Groot |
| PRODSECBUG-2228: Sensitive Data Disclosure due toInsecure Direct Object References vulnerability | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Insecure Direct Object Reference |
| CVSSv3 Severity: | 5.3 |
| Known Attacks: | none |
| Description: | An authenticated user canview Personally identifiable details of another user via exploiting an Insecure Direct Object References vulnerability |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | jealousbat |
| PRODSECBUG-2019: Spam using share a wishlist functionality | |
|---|---|
| Type: | Other |
| CVSSv3 Severity: | 4.8 |
| Known Attacks: | none |
| Description: | |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | community |
| PRODSECBUG-2197: Admin credentials are logged in exception reports | |
|---|---|
| Type: | Information Disclousure |
| CVSSv3 Severity: | 3.9 |
| Known Attacks: | none |
| Description: | Exception error reports capture administrative credentials in clear text format |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | magecraze, Matt Hamm |
| PRODSECBUG-2213: Unauthorized access to wishlist via Insecure direct object reference in the application. | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Insecure Direct Object Reference |
| CVSSv3 Severity: | 3.7 |
| Known Attacks: | none |
| Description: | An authenticated user can enumerate and access unauthorized wishlist via insecure direct object reference in the application. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Roberto Suggi Liverani |
| PRODSECBUG-2016: HTML injection vulnerability due to insufficient data validation | |
|---|---|
| Type: | Injections: Other |
| CVSSv3 Severity: | 3.1 |
| Known Attacks: | none |
| Description: | An authenticated user can add and execute a malicious script on an HTML page through a vulnerable CLI command due to lack ofdata validation. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | scottsb |
Please refer to Security Best Practices for additional information on how to secure your site.
Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.