New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Magento 2.0.16 and 2.1.9 Security Update

September 14, 2017

Magento Commerce and Open Source 2.1.9 and 2.0.16 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include support for the changes to the USPS shipping rates that the USPS introduced on September 1, 2017.

Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.1.9.

Please refer to Security Best Practices for additional information how to secure your site.

To download the releases, choose from the following options:

Partners:

Magento Commerce 2.1.9 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.9

Magento Commerce 2.0.16 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.0.16

Magento Commerce 2.1.9 and 2.0.16 (New composer installations)

https://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Magento Commerce 2.1.9 and 2.0.16 (Composer upgrades)

https://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

Magento Commerce:

Magento Commerce 2.1.9 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.9

Magento Commerce 2.0.16 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.0.16

Magento Commerce 2.1.9 and 2.0.16 (New composer installations)

https://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Magento Commerce 2.1.9 and 2.0.16 (Composer upgrades)

https://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source:

Magento Open Source 2.1.9 and 2.0.16 (New .zip file installations)

Magento Open Source Download Page > Download Tab

Magento Open Source 2.1.9 and 2.0.16 (New composer installations)

https://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Magento Open Source 2.1.9 and 2.0.16 (Composer upgrades)

https://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source 2.1.9 and 2.0.16 (Developers contributing to the Open Source code base)

https://devdocs.magento.com/guides/v2.0/install-gde/install/cli/dev_options.html

APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.2 (Critical)
Known Attacks:None
Description:

A Magento administrator with limited privileges can introduce malicious code when creating a new CMS Page, which could result in arbitrary remote code execution.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:dhln
APPSEC-1887: Arbitrary File Disclose
Type:Information Leak (system)
CVSSv3 Severity:7.8 (High)
Known Attacks:None
Description:

A Magento administrator with limited privileges can exploit a vulnerability in the theme creation function to arbitrarily disclose and delete system files of a Magento installation.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Mortis
APPSEC-1850: Arbitrary File Delete
Type:Abuse of Functionality
CVSSv3 Severity:6.8 (High)
Known Attacks:None
Description:

A Magento administrator with limited privileges can use the Delete Files module to upload and delete arbitrary files.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:mortis
APPSEC-1851: Arbitrary file delete + Lack of input sanitization leading to Remote Code Execution
Type:Remote Code Execution (RCE)
CVSSv3 Severity:6.8 (High)
Known Attacks:None
Description:

A Magento administrator with limited privileges can exploit a vulnerability in the Magento functional tests and obtain full remote code execution on the system.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Mortis
APPSEC-1567: Order history disclosure
Type:Information Leak (order)
CVSSv3 Severity:6.7 (Medium)
Known Attacks:None
Description:

If an anonymous attacker is given generic order information, he can generate a cookie collision and obtain order information.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1769: Overwrite a Relative Path in Sitemap
Type:Abuse of Functionality
CVSSv3 Severity:6.5 (Medium)
Known Attacks:
Description:

A Magento administrator with limited privileges can use the sitemap generation tool to arbitrarily overwrite sensitive files.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:anishnath
APPSEC-1713: Setup pages expose sensitive data
Type:Information Leak (system)
CVSSv3 Severity:6.4 (Medium)
Known Attacks:None
Description:

Several Magento site URLs leak sensitive information that can include verbose error messages and controller location. Attackers can use this information to exploit other vulnerabilities.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group)
Type:CSRF, XSS (stored)
CVSSv3 Severity:6.0 (Medium)
Known Attacks:None
Description:

A Magento administrator with limited privileges can exploit a vulnerability in the customer group to create a URL that can be used as part of CSRF attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:Boskostan
APPSEC-1482: Security Issue with referrer
Type:Unvalidated Redirection
CVSSv3 Severity:5.9 (Medium)
Known Attacks:None
Description:

An attacker can add a URL to a Magento site, thereby redirecting users to an external phishing website.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1502: Stored XSS - Add new group in Attribute set name
Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:5.9 (Medium)
Known Attacks:None
Description:

A Magento administrator can inject code in custom product attributes.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:hkln1
APPSEC-1494: AdminNotification Stored XSS
Type:Cross-Site Scripting (XSS, stored
CVSSv3 Severity:5.9 (Medium)
Known Attacks:None
Description:

An attacker with the ability to launch a Man-in-the-middle attack on a network connection could inject code on the Magento Admin RSS feed.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:lleber
APPSEC-1793: Potential file uploads solely protected by .htaccess
Type:Remote Code Execution (RCE)
CVSSv3 Severity:5.8 (Medium)
Known Attacks:None
Description:

Non Apache installation (e.g. Nginx) can have executable scripting uploads that can be used for further exploitation.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1819: Customer login authenticates two different sessions
Type:Insufficient Session Expiration
CVSSv3 Severity:5.8 (Medium)
Known Attacks:None
Description:

Magento does not correctly set concurrent sessions to expire. A customer could log out under the mistaken assumption that their sessions have expired, but later, an attacker could access the account through one of the unexpired sessions.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1802: Customer registration through frontend does not have anti-CSRF protection
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:5.8 (Medium)
Known Attacks:None
Description:

We've added CSRF protection to the customer registration process to prevent attackers from taking over accounts.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1493: CMS Page Title Stored XSS
Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:5.8 (Medium)
Known Attacks:None
Description:

A Magento administrator can inject executable scripts in non-executable areas, such as the page title.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:anishnath
APPSEC-1755: Anti-CSRF form_key is not changed after login
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:5.8 (Medium)
Known Attacks:None
Description:

Anti-CSRF tokens do not properly change after a successful login.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template
Type:CSRF, XSS (stored)
CVSSv3 Severity:5.5 (Medium)
Known Attacks:None
Description:

A Magento administrator with limited privileges can exploit a vulnerability in the newsletter template to create a URL that can be used as part of a CSRF attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:Boskostan
APPSEC-1729: XSS in admin order view using order status label in Magento
Type:Cross-Site Scripting (XSS)
CVSSv3 Severity:5.5 (Medium)
Known Attacks:None
Description:

An administrator can inject code in sales order records, which can result in an XSS attack on anyone that views the page.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:Fabian
APPSEC-1775: Stored Cross-Site Scripting in email template bypass
Type:Cross-Site Scripting (XSS)
CVSSv3 Severity:5.5 (Medium)
Known Attacks:None
Description:

A Magento administrator with limited privileges can insert malicious code in email templates.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:anishnath
APPSEC-1591: Stored XSS on product thumbnail
Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:5.5 (Medium)
Known Attacks:None
Description:

A Magento administrator with limited privileges can add new products that could contain a malicious script in the product's thumbnail.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:anishnath
APPSEC-1896: Possible XSS in admin order view using order code label
Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:5.5 (Medium)
Known Attacks:None
Description:

A Magento administrator with limited privileges can insert executable code in the Order view through the order code label.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1673: Stored xss using svg images in Favicon
Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:5.5 (Medium)
Known Attacks:None
Description:

A Magento administrator with limited privileges can add new SVG images that contain injected code.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:anishnath
APPSEC-1773: Injection on Page leading to DoS
Type:Denial of Service (DoS)
CVSSv3 Severity:5.5 (Medium)
Known Attacks:None
Description:

A Magento administrator with limited privileges can modify the page counter when creating a new page. This can cause an integer overflow, which could prevent the creation of new pages.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:anishnath
APPSEC-1577: Stored XSS in integration activation
Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:5.5 (Medium)
Known Attacks:None
Description:

A Magento administrator can inject code in the integration activation.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1510: Any admin user can upload Favicon Icon
Type:Insecure Direct Object Reference (IDOR)
CVSSv3 Severity:5.5 (Medium)
Known Attacks:None
Description:

A Magento administrator with limited privileges can update the Favicon image for the entire site.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Delat
APPSEC-1545: Stored XSS through customer group name in admin panel
Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:5.5 (Medium)
Known Attacks:None
Description:

A Magento administrator can inject scriptable code into customer fields, which could result in an XSS attack.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1535: Access Control Lists not validated when using quick edit mode in tables
Type:Insecure Direct Object Reference (IDOR)
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

Magento does not properly check Access Control Lists in the quick edits grid.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1588: Order Item Custom Option Disclosure
Type:Information Leak (order)
CVSSv3 Severity:4.9 (Medium)
Known Attacks:None
Description:

An attacker can craft a URL request on a Magento site during checkout and retrieve information about past orders.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:Peter O'Callaghan
APPSEC-1701: API token does not correctly expire
Type:Insufficient Session Expiration
CVSSv3 Severity:4.9 (Medium)
Known Attacks:None
Description:

Customer and Admin tokens do not expire correctly, which allows for the potential re-use of a cookie by an attacker.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1630: Anonymous users can view upgrade progress updates
Type:Information Leak (system)
CVSSv3 Severity:4.8 (Medium)
Known Attacks:None
Description:

An anonymous user can visit an internal URL and see the status of a Magento upgrade.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:delat
APPSEC-1628: Full Path Disclosure Web Root Directory
Type:Information Leak (system)
CVSSv3 Severity:4.4 (Medium)
Known Attacks:None
Description:

The Magento email replies to product requests expose the system path of the Magento installation. Attackers could leverage the system path to enable the use of other vulnerabilities.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:anishnath
APPSEC-1599: Admin login does not handle autocomplete feature correctly
Type:Information Leak (system)
CVSSv3 Severity:4.1 (Medium)
Known Attacks:None
Description:

Several fields in the Admin panel do not correctly handle autocomplete, which could result in a potential information leak when a browser tries to autocomplete the field.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1709: Customer email emumeration through frontend login
Type:Information Leak (system)
CVSSv3 Severity:3.9 (Low)
Known Attacks:None
Description:

The account lockout mechanism leaks a Magento site's contact e-mail.

Product(s) Affected:Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1495: Any user can interact with the sales order function despite not being authorized
Type:Insecure Direct Object Reference (IDOR)
CVSSv3 Severity:3.8 (Low)
Known Attacks:None
Description:

A logged-in user can modify order fields that they do not have permission to view.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:dalat

Be sure to implement and test the new version in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing a new release is AVAILABLE ONLINE (http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html).