New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Magento 2.3.2, 2.2.9 and 2.1.18 Security Update 2/3

June 25, 2019

Magento 2.3.2, 2.2.9, and 2.1.18 contain 75 critical security enhancements. These enhancements are described in three related blog posts — the post you’re currently reading plus these two separate posts, which you can find here: Part 1 and Part 3.

PRODSECBUG-2317: Stored cross-site scripting in admin panel - CVE-2019-7909
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Peter O'Callaghan
PRODSECBUG-2337: Stored cross-site scripting in the catalog templates form - CVE-2019-7921
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the product catalog form. This could be exploited by an authenticated user with privileges to the product catalog to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Anonymously reported
PRODSECBUG-2226: Stored cross-site scripting in the admin panel - CVE-2019-7875
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Roberto Suggi Liverani
PRODSECBUG-2343: Insecure Direct Object Reference (IDOR) vulnerability can lead to deletion of downloadable products folder - CVE-2019-7925
Type:Others: Security Implementation Flaw
CVSSv3 Severity:5.5
Known Attacks:none
Description:

An admin with limited privilages can delete the downloadable products folder by abusing an Insecure Direct Object Reference (IDOR) vulnerability.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Michael Reizelman
PRODSECBUG-2345: Stored cross-site scripting in the admin panel - CVE-2019-7926
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Internal Penetration Testing
PRODSECBUG-2380: Stored cross-site scripting in the Currency Symbols field - CVE-2019-7945
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

An authenticated user with privileges to the Currency Symbols functionality can inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Internal Penetration Testing
PRODSECBUG-2316: Stored cross-site scripting in the admin panel - CVE-2019-7908
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Praveen Sutar
PRODSECBUG-2244: Stored cross-site scripting in the admin panel - CVE-2019-7880
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Roberto Suggi Liverani
PRODSECBUG-2233: Stored cross-site scripting in the admin panel - CVE-2019-7877
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Simon Scannell
PRODSECBUG-2194: Stored cross-site scripting in the admin panel - CVE-2019-7869
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:DDV_UA
PRODSECBUG-2193: Stored cross-site scripting in the admin panel - CVE-2019-7868
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:DDV_UA
PRODSECBUG-2190: Stored cross-site scripting in the admin panel - CVE-2019-7867
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:DDV_UA
PRODSECBUG-2188: Stored cross-site scripting in the admin panel - CVE-2019-7866
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:DDV_UA
PRODSECBUG-2183: Stored cross-site scripting in admin panel - CVE-2019-7863
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:DDV_UA
PRODSECBUG-2353: Stored cross-site scripting in the admin panel - CVE-2019-7934
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Roberto Suggi Liverani
PRODSECBUG-2363: Stored cross-site scripting in the admin panel - CVE-2019-7935
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2369: Stored cross-site scripting in the admin panel - CVE-2019-7938
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Karim El Ouerghemmi
PRODSECBUG-2371: Stored cross-site scripting in the admin panel - CVE-2019-7940
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2378: Stored cross-site scripting in the Return Product comments feature - CVE-2019-7944
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the product comments field. Authenticated user with privileges to the Return Product comments field can inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Internal Penetration Testing
PRODSECBUG-2128: Stored Cross Site Scripting in the Admin Panel through the tax/notification/info_url setting - CVE-2019-7853
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

An authenticated user with privileges to the tax > notification > info_url setting in the Admin panel can embed malicious code through a stored cross-site scripting vulnerability.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2173: Path traversal vulnerability in WYSIWYG editor. - CVE-2019-7859
Type:General: Information Leakage
CVSSv3 Severity:5.3
Known Attacks:none
Description:

An attacker can access uploaded images directly by traversing to its URL without sufficient access control.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Internal Penetration Testing
PRODSECBUG-2172: Insecure user credential storage - CVE-2019-7858
Type:General: Cryptographic/Encryption/Hashing Flaw
CVSSv3 Severity:5.3
Known Attacks:none
Description:

User passwords are stored using an algorithm that is insufficiently resistant to brute force attacks.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2164: Use of cryptographically weak PRNG to create gift card codes - CVE-2019-7855
Type:General: Cryptographic/Encryption/Hashing Flaw
CVSSv3 Severity:5.3
Known Attacks:none
Description:

Given a single gift card code, an unauthenticated user can discover an invariant used in gift card generation.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2300: Information about disabled products can be leaked due to inadequate validation checks - CVE-2019-7898
Type:General: Information Leakage
CVSSv3 Severity:5.3
Known Attacks:none
Description:

Inadequate validation can lead to disclosure of downloadable product samples even if marked as disabled.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Edgar Boda-Majer
PRODSECBUG-2276: Insecure Direct Object Reference (IDOR) vulnerability can expose order shipping details - CVE-2019-7890
Type:Privilege Escalation & Enumeration: Insecure Direct Object Reference
CVSSv3 Severity:5.3
Known Attacks:none
Description:

An Insecure Direct Object Reference (IDOR) vulnerability in the order processing workflow can lead to unauthorized access to order details.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Anonymously reported
PRODSECBUG-2132: Insecure Direct Object Reference (IDOR) vulnerability can expose sensitive company details - CVE-2019-7854
Type:Privilege Escalation & Enumeration: Insecure Direct Object Reference
CVSSv3 Severity:5.3
Known Attacks:none
Description:

An Insecure Direct Object Reference (IDOR) vulnerability can lead to unauthorized disclosure of company credit history details.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2270: Reflected cross-site scripting in the admin panel - CVE-2019-7887
Type:General: cross-site scripting
CVSSv3 Severity:5.0
Known Attacks:none
Description:

A reflected cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:SmashITs
PRODSECBUG-2245: Stored cross-site scripting in store shipping methods configuration - CVE-2019-7881
Type:General: cross-site scripting
CVSSv3 Severity:4.8
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the shipping methods configuration. This could be exploited by an authenticated user with privileges to the feature to inject malicious javascript.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2246: Stored cross-site scripting in the WYSIWYG editor - CVE-2019-7882
Type:General: injection
CVSSv3 Severity:4.8
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the WYSIWYG editor. This could be exploited by an authenticated user with privileges to the editor to inject malicious SWF files.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:KAnev
PRODSECBUG-2370: Reflected cross-site scripting on customer cart page - CVE-2019-7939
Type:General: cross-site scripting
CVSSv3 Severity:4.7
Known Attacks:none
Description:

A reflected cross-site scripting vulnerability exists on the customer cart checkout page. This could be exploited by sending a victim a crafted URL that results in malicious javascript execution in the victim's browser.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Topi Viljanen

Magento 2.3.2, 2.2.9, and 2.1.18 contain 75 critical security enhancements. These enhancements are described in three related blog posts — the post you’re currently reading plus these two separate posts, which you can find here: Part 1 and Part 3.