New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

See the Details

NEW! Magento Security Scan Tool

Monitor your sites for security risks, update malware patches, and detect unauthorized access with Magento Security Scan, the latest FREE tool from Magento Commerce.

Go to Security Scan

< Security Center

Filter by topic

Magento 2.3.2, 2.2.9 and 2.1.18 Security Update 3/3

June 25, 2019

By: Magento Security Team
Tags:
Magento Commerce
Open Source

Magento 2.3.2, 2.2.9, and 2.1.18 contain 75 critical security enhancements. These enhancements are described in three related blog posts — the post you’re currently reading plus these two separate posts, which you can find here: Part 1 and Part 2.

PRODSECBUG-2273: Sensitive data disclosure though malicious email templates - CVE-2019-7888
Type:General: Remote Code Execution
CVSSv3 Severity:4.4
Known Attacks:none
Description:

An authenticated user with privileges to create email templates can leak sensitive data through malicious email template code.
Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Blaklis
PRODSECBUG-2348: Sensitive data disclosure via crafted two factor edit user form - CVE-2019-7929
Type:General: Information Leakage
CVSSv3 Severity:4.3
Known Attacks:none
Description:

An authenticated user with full admin privileges can create two factor settings that can be abused by low privileged user to leak sensitive data via crafted user form component.
Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2301: Names of disabled products can be leaked due to inadequate validation checks - CVE-2019-7899
Type:General: Information Leakage
CVSSv3 Severity:4.3
Known Attacks:none
Description:

Inadequate validation can lead to disclosure of product names even if marked as disabled.
Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Edgar Boda-Majer
PRODSECBUG-2171: Insecure token implementation leads to Cross-Site Request Forgery (CSRF) - CVE-2019-7857
Type:General: Cross Site Request Forgery
CVSSv3 Severity:4.3
Known Attacks:none
Description:

An insufficiently robust anti-CSRF token implementation could be abused to add unwanted items to a shopper's cart.
Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Internal Penetration Testing
PRODSECBUG-2220: Deletion of store design schedule via cross-site request forgery (CSRF) - CVE-2019-7873
Type:General: Cross Site Request Forgery
CVSSv3 Severity:4.2
Known Attacks:none
Description:

An attacker can delete the store design schedule within the context of an authenticated administrator's session through cross-site request forgery.
Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Djordje Marjanovic
PRODSECBUG-2125: Deletion of Blocks via cross-site request forgery (CSRF) - CVE-2019-7851
Type:General: Cross Site Request Forgery
CVSSv3 Severity:4.2
Known Attacks:none
Description:

An attacker can delete all blocks causing the loss of data from customer pages within the context of an authenticated administrator's session.
Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Djordje Marjanovic
PRODSECBUG-2174: Use of insufficiently random values in multiple security relevant contexts - CVE-2019-7860
Type:General: Cryptographic/Encryption/Hashing Flaw
CVSSv3 Severity:3.7
Known Attacks:none
Description:

Cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts (e.g., anti-CSRF tokens) allowing malicious user to predict random values.
Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Internal Penetration Testing
PRODSECBUG-2186: Insecure Direct Object Reference (IDOR) vulnerability can expose order details - CVE-2019-7864
Type:Privilege Escalation & Enumeration: Insecure Direct Object Reference
CVSSv3 Severity:3.7
Known Attacks:none
Description:

An Insecure Direct Object Reference (IDOR) vulnerability in the RSS feeds functionality can lead to unauthorized access to order details.
Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Roberto Suggi Liverani
PRODSECBUG-2267: Use of insufficiently random values when generating initialization vector - CVE-2019-7886
Type:General: Cryptographic/Encryption/Hashing Flaw
CVSSv3 Severity:3.7
Known Attacks:none
Description:

Cryptographically weak pseudo-rando number generator and insecure block cipher mode is used to generate intialization vector in multiple security relevant contexts.
Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:rbsec
PRODSECBUG-1513: Insufficient brute force protections on promo code entry - CVE-2019-7846
Type:General: Remote Code Execution
CVSSv3 Severity:3.7
Known Attacks:none
Description:

Insufficient brute force protections on promo code entry could allow an attacker to guess discount codes offered by the Magento merchant.
Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:hkln1
PRODSECBUG-2127: Disclosure of Magento admin panel URL - CVE-2019-7852
Type:Privilege Escalation & Enumeration: Path Disclosure
CVSSv3 Severity:3.7
Known Attacks:none
Description:

Requests for a specific file path could result in a redirect to the URL of the Magento admin panel, disclosing its location to potentially unauthorized parties.
Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2095: Defense-in-depth session validation check implemented - CVE-2019-7849
Type:Privilege Escalation & Enumeration: Broken Authentication and Session Management
CVSSv3 Severity:3.7
Known Attacks:none
Description:

A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules.
Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Roger-Keulen
PRODSECBUG-2387: Cross site request forgery attacks are possible via the gift card removal feature - CVE-2019-7947
Type:General: Cross Site Request Forgery
CVSSv3 Severity:3.1
Known Attacks:none
Description:

A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature
Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Anonymously reported
PRODSECBUG-2187: Cross-site request forgery (CSRF) in checkout cart item - CVE-2019-7865
Type:General: Cross Site Request Forgery
CVSSv3 Severity:3.1
Known Attacks:none
Description:

A cross-site request forgery vulnerability exists in the checkout cart item. This could be exploited at the time of editing or configuration.
Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Magecraze
PRODSECBUG-2321: Filter extension bypass via crafted store configuration keys - CVE-2019-7912
Type:General: Remote Code Execution
CVSSv3 Severity:2.7
Known Attacks:none
Description:

An authenticated user with admin privileges to edit certain configuration keys can bypass a file extension filter by allowing uploads of executable file extensions.
Product(s) Affected:Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Blaklis

Magento 2.3.2, 2.2.9, and 2.1.18 contain 75 critical security enhancements. These enhancements are described in three related blog posts — the post you’re currently reading plus these two separate posts, which you can find here: Part 1 and Part 2.