New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Magento 2.3.2, 2.2.9 and 2.1.18 Security Update 1/3

June 25, 2019

Magento Commerce and Open Source 2.3.2, 2.2.9 and 2.1.18 contain 75 security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities. These enhancements are described in three related blog posts — the post you’re currently reading plus these two separate posts, which you can find here: Part 2 and Part 3.

Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.3.2.

Please refer to Security Best Practices for additional information how to secure your site.

The Magento 2.1.18 software release marks the final supported software release for Magento version 2.1.x. As of June 30 2019, Magento 2.1.x will no longer receive security updates or product quality fixes now that its support window has expired.

To download the releases, choose from the following options:

Partners:

Magento Commerce 2.3.2 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.2

Magento Commerce 2.2.9 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.9

Magento Commerce 2.1.18 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.18

Magento Commerce 2.3.2, 2.2.9 and 2.1.18 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/composer.html

Magento Commerce 2.3.2, 2.2.9 and 2.1.18 (Composer upgrades)

https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html

Magento Commerce:

Magento Commerce 2.3.2 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.2

Magento Commerce 2.2.9 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.9

Magento Commerce 2.1.18 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.18

Magento Commerce 2.3.2, 2.2.9 and 2.1.18 (New composer installations)

https://devdocs.magento.com/guides/v2.3/install-gde/composer.html

Magento Commerce 2.3.2, 2.2.9 and 2.1.18 (Composer upgrades)

https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source:

Magento Open Source 2.3.2, 2.2.9 and 2.1.18 (New .zip file installations)

Magento Open Source Download Page > Download Tab

Magento Open Source 2.3.2, 2.2.9 and 2.1.18 (New composer installations)

https://devdocs.magento.com/guides/v2.3/install-gde/composer.html

Magento Open Source 2.3.2, 2.2.9 and 2.1.18 (Composer upgrades)

https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source 2.3.2, 2.2.9 and 2.1.18 (Developers contributing to the Open Source code base)

https://devdocs.magento.com/guides/v2.3/install-gde/install/cli/dev_options.html

PRODSECBUG-2296: Arbitrary code execution through design layout update - CVE-2019-7895
Type:General: Remote Code Execution
CVSSv3 Severity:9.1
Known Attacks:none
Description:

An authenticated user with admin privileges can execute arbitrary code through a crafted XML layout update.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Blaklis
PRODSECBUG-2298: Arbitrary code execution through product imports and design layout update - CVE-2019-7896
Type:General: Remote Code Execution
CVSSv3 Severity:9.1
Known Attacks:none
Description:

An authenticated user with admin privileges can execute arbitrary code through combination of product import via crafted csv file and XML layout update.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Edgar Boda-Majer
PRODSECBUG-2349: Arbitrary code execution via file upload in admin import feature - CVE-2019-7930
Type:File Problems: Unsafe File Upload
CVSSv3 Severity:9.1
Known Attacks:none
Description:

An authenticated user with admin privileges to the import feature can execute arbitrary code by uploading a malicious csv file.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:sambecks
PRODSECBUG-2202: Security bypass via form data injection - CVE-2019-7871
Type:General: Remote Code Execution
CVSSv3 Severity:9.1
Known Attacks:none
Description:

An authenticated user can inject form data and bypass security protections that prevent arbitrary PHP script upload.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2375: Arbitrary code execution via malicious XML layouts - CVE-2019-7942
Type:General: Remote Code Execution
CVSSv3 Severity:9.1
Known Attacks:none
Description:

An authenticated user with admin privileges can execute arbitrary code when creating a product via malicious XML layouts.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Charles Fol
PRODSECBUG-2306: Remote code execution through crafted email templates - CVE-2019-7903
Type:General: Remote Code Execution
CVSSv3 Severity:9.0
Known Attacks:none
Description:

An authenticated user with admin privileges can execute arbitrary code through crafted email template code when previewing the template.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Karim El Ouerghemmi
PRODSECBUG-2350: MySQL Error through crafted Elasticsearch query - CVE-2019-7931
Type:General: injection
CVSSv3 Severity:9.0
Known Attacks:Reported
Description:

An attacker can tamper with search queries, causing MySQL error, when Elasticsearch is set as search provider.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Anonymously reported
PRODSECBUG-2351: Arbitrary code execution via crafted sitemap creation - CVE-2019-7932
Type:General: Remote Code Execution
CVSSv3 Severity:9.0
Known Attacks:none
Description:

An authenticated user with admin privileges to create sitemaps can execute arbitrary code by crafted filenames that include php extension within the XML filename.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Simon Scannell
PRODSECBUG-2266: Arbitrary code execution through malicious elastic search module configuration - CVE-2019-7885
Type:General: Remote Code Execution
CVSSv3 Severity:9.0
Known Attacks:none
Description:

An authenticated user with privileges to configure the catalog search can execute arbitrary code through malicious configuration of the Elastic search module.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Simon Scannell
PRODSECBUG-2429: Insecure object reference via customer REST API - CVE-2019-7950
Type:General: Information Leakage
CVSSv3 Severity:8.8
Known Attacks:none
Description:

Unauthenticated users can pass arbitrary values for company attributes parmeters via POST and PUT action and assign themselves to arbitray company effectively gaining access to company's confidental information.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Internal Penetration Testing
PRODSECBUG-2307: Insufficient enforcement of user access controls can lead to unauthorized environment configuration changes - CVE-2019-7904
Type:Privilege Escalation & Enumeration: Broken Authentication and Session Management
CVSSv3 Severity:8.5
Known Attacks:none
Description:

Insufficient enforcement of user access controls can be abused by a low-privileged user to make unauthorized environment configuration changes, such as removing security controls.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Edgar Boda-Majer
PRODSECBUG-2198: SQL Injection due to a flaw in MySQL adapter - CVE-2019-7139
Type:General: SQL Injection (Blind Read)
CVSSv3 Severity:8.2
Known Attacks:none
Description:

An unauthenticated user in Magento 2.x, or an authenticated user in Magento 1.x, can execute SQL statements that allow arbitrary read access to the underlying database.

Note: this issue was addressed in previous patches 2.2.8 and 2.3.1 and also in separately released patches PRODSECBUG-2198. In this release, it adds a fix for version 2.1.x.

Product(s) Affected:Magento 2.1 prior to 2.1.18
Fixed In:Magento 2.1.18
Reporter:Charles Fol
PRODSECBUG-2347: Insufficient brute-forcing defenses in the token exchange protocol could be abused in carding attacks - CVE-2019-7928
Type:Others: Denial of Service
CVSSv3 Severity:8.2
Known Attacks:Reported
Description:

Insufficient brute-forcing defenses in the token exchange protocol between Magento and payment processors could be abused in carding attacks.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:
PRODSECBUG-2285: Arbitrary code execution due to unsafe handling of a carrier gateway - CVE-2019-7892
Type:General: Remote Code Execution
CVSSv3 Severity:8.0
Known Attacks:none
Description:

An authenticated user with admin privileges to access shipment settings can execute arbitrary code through server-side request forgery.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2232: Arbitrary code execution via layout manipulation - CVE-2019-7876
Type:General: Remote Code Execution
CVSSv3 Severity:8.0
Known Attacks:none
Description:

An authenticated user with privileges to manipulate layout can execute arbitrary code through crafted custom layout update field.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Peter O'Callaghan
PRODSECBUG-2339: Arbitrary code execution due to unsafe handling of a carrier gateway - CVE-2019-7923
Type:General: Remote Code Execution
CVSSv3 Severity:8.0
Known Attacks:none
Description:

An authenticated user with admin privileges to manipulate shipment settings can execute arbitrary code through server-side request forgery

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2322: Arbitrary code execution due to unsafe handling of a shipping gateway - CVE-2019-7913
Type:General: Remote Code Execution
CVSSv3 Severity:7.9
Known Attacks:none
Description:

An authenticated user with admin privileges to manipulate shipment methods can execute arbitrary code through server-side request forgery.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2320: Arbitrary code execution due to unsafe handling of system configuration - CVE-2019-7911
Type:General: Remote Code Execution
CVSSv3 Severity:7.9
Known Attacks:none
Description:

An authenticated user with admin privileges to manipulate system configuration can execute arbitrary code through server-side request forgery.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2430: Security bypass via crafted SOAP requests - CVE-2019-7951
Type:General: Remote Code Execution
CVSSv3 Severity:7.4
Known Attacks:none
Description:

A SOAP web service endpoint does not properly enforce parameters related to access control list and customer identifications allowing arbitrary customer identification in crafted SOAP requests.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Internal Penetration Testing
PRODSECBUG-2177: Insufficient server side validations leads to Insecure File upload vulnerability - CVE-2019-7861
Type:Others: Security Implementation Flaw
CVSSv3 Severity:6.5
Known Attacks:none
Description:

An attacker can upload malicious files due to insufficient server side validations.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Internal Penetration Testing
PRODSECBUG-2325: Denial-of-service by forcing a store to respond with a 404 error - CVE-2019-7915
Type:General: Remote Code Execution
CVSSv3 Severity:6.5
Known Attacks:none
Description:

An attacker can cause a denial-of-service via a crafted request that results in the Magento store serving a cached 404 error response.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Matti Vapa
PRODSECBUG-2208: Insufficient authorization check when adding users to company accounts - CVE-2019-7872
Type:Privilege Escalation & Enumeration: Insecure Direct Object Reference
CVSSv3 Severity:6.0
Known Attacks:none
Description:

Insufficient authorization checks could be abused by a user with admin privileges to add users to company accounts, or modify existing user details.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:craig-gene
PRODSECBUG-2222: Deletion of user roles via cross-site request forgery (CSRF) - CVE-2019-7874
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.8
Known Attacks:none
Description:

An attacker can delete user roles within the context of an authenticated administrator's session through cross-site request forgery (CSRF)

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Djordje Marjanovic
PRODSECBUG-2346: Stored cross-site scripting in the admin panel - CVE-2019-7927
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Internal Penetration Testing
PRODSECBUG-2364: Stored cross-site scripting in the admin panel - CVE-2019-7936
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2116: Stored cross-site scripting in the catalog events feature - CVE-2019-7850
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the catalog marketing events form. This could be exploited by an authenticated user with privileges to catalog events to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2182: Reflected cross-site scripting in the admin panel. - CVE-2019-7862
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A reflected cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Magecraze
PRODSECBUG-2366: Stored cross-site scripting in the admin panel - CVE-2019-7937
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2275: Unsafe functionality is exposed via email templates manipulation - CVE-2019-7889
Type:General: injection
CVSSv3 Severity:5.5
Known Attacks:none
Description:

An authenticated user with marketing manipulation privileges can invoke methods that alter data of the underlying model followed by corresponding database modifications.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Blaklis
PRODSECBUG-2299: Stored cross-site scripting in the admin panel - CVE-2019-7897
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Karim El Ouerghemmi

Magento 2.3.2, 2.2.9, and 2.1.18 contain 75 critical security enhancements. These enhancements are described in three related blog posts — the post you’re currently reading plus these two separate posts, which you can find here: Part 2 and Part 3.

Please refer to Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.