New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Magento 2.3.2, 2.2.9 and 2.1.18 Security Update 3/3

June 25, 2019

Magento 2.3.2, 2.2.9, and 2.1.18 contain 75 critical security enhancements. These enhancements are described in three related blog posts — the post you’re currently reading plus these two separate posts, which you can find here: Part 1 and Part 2.

PRODSECBUG-2273: Sensitive data disclosure though malicious email templates - CVE-2019-7888
Type:General: Remote Code Execution
CVSSv3 Severity:4.4
Known Attacks:none
Description:

An authenticated user with privileges to create email templates can leak sensitive data through malicious email template code.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Blaklis
PRODSECBUG-2348: Sensitive data disclosure via crafted two factor edit user form - CVE-2019-7929
Type:General: Information Leakage
CVSSv3 Severity:4.3
Known Attacks:none
Description:

An authenticated user with full admin privileges can create two factor settings that can be abused by low privileged user to leak sensitive data via crafted user form component.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2301: Names of disabled products can be leaked due to inadequate validation checks - CVE-2019-7899
Type:General: Information Leakage
CVSSv3 Severity:4.3
Known Attacks:none
Description:

Inadequate validation can lead to disclosure of product names even if marked as disabled.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Edgar Boda-Majer
PRODSECBUG-2171: Insecure token implementation leads to Cross-Site Request Forgery (CSRF) - CVE-2019-7857
Type:General: Cross Site Request Forgery
CVSSv3 Severity:4.3
Known Attacks:none
Description:

An insufficiently robust anti-CSRF token implementation could be abused to add unwanted items to a shopper's cart.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Internal Penetration Testing
PRODSECBUG-2220: Deletion of store design schedule via cross-site request forgery (CSRF) - CVE-2019-7873
Type:General: Cross Site Request Forgery
CVSSv3 Severity:4.2
Known Attacks:none
Description:

An attacker can delete the store design schedule within the context of an authenticated administrator's session through cross-site request forgery.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Djordje Marjanovic
PRODSECBUG-2125: Deletion of Blocks via cross-site request forgery (CSRF) - CVE-2019-7851
Type:General: Cross Site Request Forgery
CVSSv3 Severity:4.2
Known Attacks:none
Description:

An attacker can delete all blocks causing the loss of data from customer pages within the context of an authenticated administrator's session.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Djordje Marjanovic
PRODSECBUG-2174: Use of insufficiently random values in multiple security relevant contexts - CVE-2019-7860
Type:General: Cryptographic/Encryption/Hashing Flaw
CVSSv3 Severity:3.7
Known Attacks:none
Description:

Cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts (e.g., anti-CSRF tokens) allowing malicious user to predict random values.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Internal Penetration Testing
PRODSECBUG-2186: Insecure Direct Object Reference (IDOR) vulnerability can expose order details - CVE-2019-7864
Type:Privilege Escalation & Enumeration: Insecure Direct Object Reference
CVSSv3 Severity:3.7
Known Attacks:none
Description:

An Insecure Direct Object Reference (IDOR) vulnerability in the RSS feeds functionality can lead to unauthorized access to order details.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Roberto Suggi Liverani
PRODSECBUG-2267: Use of insufficiently random values when generating initialization vector - CVE-2019-7886
Type:General: Cryptographic/Encryption/Hashing Flaw
CVSSv3 Severity:3.7
Known Attacks:none
Description:

Cryptographically weak pseudo-rando number generator and insecure block cipher mode is used to generate intialization vector in multiple security relevant contexts.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:rbsec
PRODSECBUG-1513: Insufficient brute force protections on promo code entry - CVE-2019-8065
Type:General: Remote Code Execution
CVSSv3 Severity:3.7
Known Attacks:none
Description:

Insufficient brute force protections on promo code entry could allow an attacker to guess discount codes offered by the Magento merchant.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:hkln1
PRODSECBUG-2127: Disclosure of Magento admin panel URL - CVE-2019-7852
Type:Privilege Escalation & Enumeration: Path Disclosure
CVSSv3 Severity:3.7
Known Attacks:none
Description:

Requests for a specific file path could result in a redirect to the URL of the Magento admin panel, disclosing its location to potentially unauthorized parties.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2095: Defense-in-depth session validation check implemented - CVE-2019-8067
Type:Privilege Escalation & Enumeration: Broken Authentication and Session Management
CVSSv3 Severity:3.7
Known Attacks:none
Description:

A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Roger-Keulen
PRODSECBUG-2387: Cross site request forgery attacks are possible via the gift card removal feature - CVE-2019-7947
Type:General: Cross Site Request Forgery
CVSSv3 Severity:3.1
Known Attacks:none
Description:

A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Anonymously reported
PRODSECBUG-2187: Cross-site request forgery (CSRF) in checkout cart item - CVE-2019-7865
Type:General: Cross Site Request Forgery
CVSSv3 Severity:3.1
Known Attacks:none
Description:

A cross-site request forgery vulnerability exists in the checkout cart item. This could be exploited at the time of editing or configuration.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Magecraze
PRODSECBUG-2321: Filter extension bypass via crafted store configuration keys - CVE-2019-7912
Type:General: Remote Code Execution
CVSSv3 Severity:2.7
Known Attacks:none
Description:

An authenticated user with admin privileges to edit certain configuration keys can bypass a file extension filter by allowing uploads of executable file extensions.

Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Blaklis

Magento 2.3.2, 2.2.9, and 2.1.18 contain 75 critical security enhancements. These enhancements are described in three related blog posts — the post you’re currently reading plus these two separate posts, which you can find here: Part 1 and Part 2.