Magento 2.3.2, 2.2.9 and 2.1.18 Security Update 3/3
June 25, 2019
PRODSECBUG-2273: Sensitive data disclosure though malicious email templates - CVE-2019-7888 | |
---|---|
Type: | General: Remote Code Execution |
CVSSv3 Severity: | 4.4 |
Known Attacks: | none |
Description: | An authenticated user with privileges to create email templates can leak sensitive data through malicious email template code. |
Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | Blaklis |
PRODSECBUG-2348: Sensitive data disclosure via crafted two factor edit user form - CVE-2019-7929 | |
---|---|
Type: | General: Information Leakage |
CVSSv3 Severity: | 4.3 |
Known Attacks: | none |
Description: | An authenticated user with full admin privileges can create two factor settings that can be abused by low privileged user to leak sensitive data via crafted user form component. |
Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | Max Chadwick |
PRODSECBUG-2301: Names of disabled products can be leaked due to inadequate validation checks - CVE-2019-7899 | |
---|---|
Type: | General: Information Leakage |
CVSSv3 Severity: | 4.3 |
Known Attacks: | none |
Description: | Inadequate validation can lead to disclosure of product names even if marked as disabled. |
Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | Edgar Boda-Majer |
PRODSECBUG-2171: Insecure token implementation leads to Cross-Site Request Forgery (CSRF) - CVE-2019-7857 | |
---|---|
Type: | General: Cross Site Request Forgery |
CVSSv3 Severity: | 4.3 |
Known Attacks: | none |
Description: | An insufficiently robust anti-CSRF token implementation could be abused to add unwanted items to a shopper's cart. |
Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | Internal Penetration Testing |
PRODSECBUG-2220: Deletion of store design schedule via cross-site request forgery (CSRF) - CVE-2019-7873 | |
---|---|
Type: | General: Cross Site Request Forgery |
CVSSv3 Severity: | 4.2 |
Known Attacks: | none |
Description: | An attacker can delete the store design schedule within the context of an authenticated administrator's session through cross-site request forgery. |
Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | Djordje Marjanovic |
PRODSECBUG-2125: Deletion of Blocks via cross-site request forgery (CSRF) - CVE-2019-7851 | |
---|---|
Type: | General: Cross Site Request Forgery |
CVSSv3 Severity: | 4.2 |
Known Attacks: | none |
Description: | An attacker can delete all blocks causing the loss of data from customer pages within the context of an authenticated administrator's session. |
Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | Djordje Marjanovic |
PRODSECBUG-2174: Use of insufficiently random values in multiple security relevant contexts - CVE-2019-7860 | |
---|---|
Type: | General: Cryptographic/Encryption/Hashing Flaw |
CVSSv3 Severity: | 3.7 |
Known Attacks: | none |
Description: | Cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts (e.g., anti-CSRF tokens) allowing malicious user to predict random values. |
Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | Internal Penetration Testing |
PRODSECBUG-2186: Insecure Direct Object Reference (IDOR) vulnerability can expose order details - CVE-2019-7864 | |
---|---|
Type: | Privilege Escalation & Enumeration: Insecure Direct Object Reference |
CVSSv3 Severity: | 3.7 |
Known Attacks: | none |
Description: | An Insecure Direct Object Reference (IDOR) vulnerability in the RSS feeds functionality can lead to unauthorized access to order details. |
Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | Roberto Suggi Liverani |
PRODSECBUG-2267: Use of insufficiently random values when generating initialization vector - CVE-2019-7886 | |
---|---|
Type: | General: Cryptographic/Encryption/Hashing Flaw |
CVSSv3 Severity: | 3.7 |
Known Attacks: | none |
Description: | Cryptographically weak pseudo-rando number generator and insecure block cipher mode is used to generate intialization vector in multiple security relevant contexts. |
Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | rbsec |
PRODSECBUG-1513: Insufficient brute force protections on promo code entry - CVE-2019-8065 | |
---|---|
Type: | General: Remote Code Execution |
CVSSv3 Severity: | 3.7 |
Known Attacks: | none |
Description: | Insufficient brute force protections on promo code entry could allow an attacker to guess discount codes offered by the Magento merchant. |
Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | hkln1 |
PRODSECBUG-2127: Disclosure of Magento admin panel URL - CVE-2019-7852 | |
---|---|
Type: | Privilege Escalation & Enumeration: Path Disclosure |
CVSSv3 Severity: | 3.7 |
Known Attacks: | none |
Description: | Requests for a specific file path could result in a redirect to the URL of the Magento admin panel, disclosing its location to potentially unauthorized parties. |
Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | Max Chadwick |
PRODSECBUG-2095: Defense-in-depth session validation check implemented - CVE-2019-8067 | |
---|---|
Type: | Privilege Escalation & Enumeration: Broken Authentication and Session Management |
CVSSv3 Severity: | 3.7 |
Known Attacks: | none |
Description: | A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. |
Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | Roger-Keulen |
PRODSECBUG-2387: Cross site request forgery attacks are possible via the gift card removal feature - CVE-2019-7947 | |
---|---|
Type: | General: Cross Site Request Forgery |
CVSSv3 Severity: | 3.1 |
Known Attacks: | none |
Description: | A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature |
Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | Anonymously reported |
PRODSECBUG-2187: Cross-site request forgery (CSRF) in checkout cart item - CVE-2019-7865 | |
---|---|
Type: | General: Cross Site Request Forgery |
CVSSv3 Severity: | 3.1 |
Known Attacks: | none |
Description: | A cross-site request forgery vulnerability exists in the checkout cart item. This could be exploited at the time of editing or configuration. |
Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | Magecraze |
PRODSECBUG-2321: Filter extension bypass via crafted store configuration keys - CVE-2019-7912 | |
---|---|
Type: | General: Remote Code Execution |
CVSSv3 Severity: | 2.7 |
Known Attacks: | none |
Description: | An authenticated user with admin privileges to edit certain configuration keys can bypass a file extension filter by allowing uploads of executable file extensions. |
Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
Reporter: | Blaklis |