Magento 2.3.2, 2.2.9 and 2.1.18 Security Update 3/3
June 25, 2019
| PRODSECBUG-2273: Sensitive data disclosure though malicious email templates - CVE-2019-7888 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 4.4 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to create email templates can leak sensitive data through malicious email template code. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Blaklis |
| PRODSECBUG-2348: Sensitive data disclosure via crafted two factor edit user form - CVE-2019-7929 | |
|---|---|
| Type: | General: Information Leakage |
| CVSSv3 Severity: | 4.3 |
| Known Attacks: | none |
| Description: | An authenticated user with full admin privileges can create two factor settings that can be abused by low privileged user to leak sensitive data via crafted user form component. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2301: Names of disabled products can be leaked due to inadequate validation checks - CVE-2019-7899 | |
|---|---|
| Type: | General: Information Leakage |
| CVSSv3 Severity: | 4.3 |
| Known Attacks: | none |
| Description: | Inadequate validation can lead to disclosure of product names even if marked as disabled. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Edgar Boda-Majer |
| PRODSECBUG-2171: Insecure token implementation leads to Cross-Site Request Forgery (CSRF) - CVE-2019-7857 | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 4.3 |
| Known Attacks: | none |
| Description: | An insufficiently robust anti-CSRF token implementation could be abused to add unwanted items to a shopper's cart. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2220: Deletion of store design schedule via cross-site request forgery (CSRF) - CVE-2019-7873 | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 4.2 |
| Known Attacks: | none |
| Description: | An attacker can delete the store design schedule within the context of an authenticated administrator's session through cross-site request forgery. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Djordje Marjanovic |
| PRODSECBUG-2125: Deletion of Blocks via cross-site request forgery (CSRF) - CVE-2019-7851 | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 4.2 |
| Known Attacks: | none |
| Description: | An attacker can delete all blocks causing the loss of data from customer pages within the context of an authenticated administrator's session. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Djordje Marjanovic |
| PRODSECBUG-2174: Use of insufficiently random values in multiple security relevant contexts - CVE-2019-7860 | |
|---|---|
| Type: | General: Cryptographic/Encryption/Hashing Flaw |
| CVSSv3 Severity: | 3.7 |
| Known Attacks: | none |
| Description: | Cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts (e.g., anti-CSRF tokens) allowing malicious user to predict random values. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2186: Insecure Direct Object Reference (IDOR) vulnerability can expose order details - CVE-2019-7864 | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Insecure Direct Object Reference |
| CVSSv3 Severity: | 3.7 |
| Known Attacks: | none |
| Description: | An Insecure Direct Object Reference (IDOR) vulnerability in the RSS feeds functionality can lead to unauthorized access to order details. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Roberto Suggi Liverani |
| PRODSECBUG-2267: Use of insufficiently random values when generating initialization vector - CVE-2019-7886 | |
|---|---|
| Type: | General: Cryptographic/Encryption/Hashing Flaw |
| CVSSv3 Severity: | 3.7 |
| Known Attacks: | none |
| Description: | Cryptographically weak pseudo-rando number generator and insecure block cipher mode is used to generate intialization vector in multiple security relevant contexts. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | rbsec |
| PRODSECBUG-1513: Insufficient brute force protections on promo code entry - CVE-2019-8065 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 3.7 |
| Known Attacks: | none |
| Description: | Insufficient brute force protections on promo code entry could allow an attacker to guess discount codes offered by the Magento merchant. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | hkln1 |
| PRODSECBUG-2127: Disclosure of Magento admin panel URL - CVE-2019-7852 | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Path Disclosure |
| CVSSv3 Severity: | 3.7 |
| Known Attacks: | none |
| Description: | Requests for a specific file path could result in a redirect to the URL of the Magento admin panel, disclosing its location to potentially unauthorized parties. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2095: Defense-in-depth session validation check implemented - CVE-2019-8067 | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Broken Authentication and Session Management |
| CVSSv3 Severity: | 3.7 |
| Known Attacks: | none |
| Description: | A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Roger-Keulen |
| PRODSECBUG-2387: Cross site request forgery attacks are possible via the gift card removal feature - CVE-2019-7947 | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 3.1 |
| Known Attacks: | none |
| Description: | A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Anonymously reported |
| PRODSECBUG-2187: Cross-site request forgery (CSRF) in checkout cart item - CVE-2019-7865 | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 3.1 |
| Known Attacks: | none |
| Description: | A cross-site request forgery vulnerability exists in the checkout cart item. This could be exploited at the time of editing or configuration. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Magecraze |
| PRODSECBUG-2321: Filter extension bypass via crafted store configuration keys - CVE-2019-7912 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 2.7 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges to edit certain configuration keys can bypass a file extension filter by allowing uploads of executable file extensions. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Blaklis |