SUPEE-10415
November 28, 2017
SUPEE-10415, Magento Commerce 1.14.3.7 and Open Source 1.9.3.7 contain multiple security enhancements that help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities. These releases also include a fix for a prior customers that had experienced issues patching caused by SOAP v1 interactions in WSDL.
Information on all the changes in 1.14.3.7 and 1.9.3.7 releases is available in the Magento Commerce and Magento Open Source release notes.
Patches and upgrades are available for the following Magento versions:
-
Magento Commerce 1.9.0.0-1.14.3.7: SUPEE-10415 or upgrade to Magento Commerce 1.14.3.7.
-
Magento Open Source 1.5.0.0-1.9.3.7: SUPEE-10415 or upgrade to Magento Open Source 1.9.3.7.
To download a patch or release, choose from the following options:
Partners:
Magento Commerce 1.14.3.7 |
Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Version 1.x Releases > Version 1.14.3.7 |
SUPEE-10415 |
Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – November 2017 |
Magento Commerce Merchants:
Magento Commerce 1.14.3.7 |
My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Version |
SUPEE-10415 |
My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – November 2017 |
Magento Open Source Merchants:
Magento Open Source 1.9.3.7 |
Magento Open Source Download Page > Release Archive Tab |
SUPEE-10415 |
Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section |
APPSEC-1330: Unsanitized input leading to denial of service | |
---|---|
Type: | Denial-of-Service (DOS) |
CVSSv3 Severity: | 6.7 (Medium) |
Known Attacks: | None |
Description: | A site visitor can create an account where one of the parameters will create a server denial-of-service. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | Internal |
APPSEC-1885: Stored XSS in Product Name field | |
---|---|
Type: | Cross-Site Scripting (XSS, stored) |
CVSSv3 Severity: | 6.6 (Medium) |
Known Attacks: | None |
Description: | An administrator with limited privileges can insert script in the product name field, potentially resulting in a stored cross-site scripting that affects other administrators. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | hodollsoft |
APPSEC-1892: Stored XSS in Visual Merchandiser | |
---|---|
Type: | Cross-Site Scripting (XSS, stored) |
CVSSv3 Severity: | 6.1 (Medium) |
Known Attacks: | None |
Description: | An administrator with limited privileges can create a stored-cross site scripting attack in the Visual Merchaniser system. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | magecraze |
APPSEC-1894: Remote Code Execution by leveraging unsafe unserialization | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.2 (High) |
Known Attacks: | None |
Description: | An administrator with limited privileges can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | pocallaghan |
APPSEC-1897: Fix WSDL based patching to work with SOAP V1 | |
---|---|
Type: | Patch Fix |
CVSSv3 Severity: | None |
Known Attacks: | None |
Description: | Addresses an issue affecting a small number of customers to enable two prior patches to handle SOAP v1 interactions in WSDL. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | Internal |
APPSEC-1913: Remote Code Execution through Config Manipulation | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 7.2 (High) |
Known Attacks: | None |
Description: | An administrator with limited privileges can inject a malformed configuration bypass leading to a file redirection that can be leveraged in to arbitrary remote code execution. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | pocallaghan |
APPSEC-1914: Stored XSS in CMS Page Area | |
---|---|
Type: | Cross-Site Scripting (XSS, stored) |
CVSSv3 Severity: | 6.1 (Medium) |
Known Attacks: | None |
Description: | An administrator with limited privileges can create a page within the Content Management System (CMS) with an embedded cross-site scripting attack. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | pocallaghan |
APPSEC-1915: Remote Code Execution in CMS Page Area | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.2 (High) |
Known Attacks: | None |
Description: | An administrator with limited privileges can create a specially crafted CMS page that can be parsed incorrectly, potentially leading to an arbitrary remote code execeution. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | pocallaghan |
APPSEC-1325: Stored XSS in Billing Agreements | |
---|---|
Type: | Cross-Site Scripting (XSS, stored) |
CVSSv3 Severity: | 5.5 (Medium) |
Known Attacks: | None |
Description: | An administrator with limited privileges can create Billing Agreements with embedded cross-site scripting elements that can subsequently lead to a stored cross-site scripting attack. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2 |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1 |
Reporter: | pocallaghan |
APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.2 (High) |
Known Attacks: | None |
Description: | An administrator with limited privileges can insert a widget block containing malicious code, creating an opportunity for arbitrary remote code execution. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2 |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1 |
Reporter: | fabian |
APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.2 (High) |
Known Attacks: | None |
Description: | An administrator with limited privileges can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2 |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1 |
Reporter: | fabian |