New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

SUPEE-10415

November 28, 2017

SUPEE-10415, Magento Commerce 1.14.3.7 and Open Source 1.9.3.7 contain multiple security enhancements that help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities. These releases also include a fix for a prior customers that had experienced issues patching caused by SOAP v1 interactions in WSDL.

Information on all the changes in 1.14.3.7 and 1.9.3.7 releases is available in the Magento Commerce and Magento Open Source release notes.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.7: SUPEE-10415 or upgrade to Magento Commerce 1.14.3.7.

  • Magento Open Source 1.5.0.0-1.9.3.7: SUPEE-10415 or upgrade to Magento Open Source 1.9.3.7.

To download a patch or release, choose from the following options:

Partners:

Magento Commerce 1.14.3.7

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Version 1.x Releases > Version 1.14.3.7

SUPEE-10415

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – November 2017 

Magento Commerce Merchants:

Magento Commerce 1.14.3.7

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Version
1.x Releases > Version 1.14.3.7

SUPEE-10415

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – November 2017

Magento Open Source Merchants:

Magento Open Source 1.9.3.7

Magento Open Source Download Page > Release Archive Tab

SUPEE-10415

Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section

 

 

APPSEC-1330: Unsanitized input leading to denial of service
Type:Denial-of-Service (DOS)
CVSSv3 Severity:6.7 (Medium)
Known Attacks:None
Description:

A site visitor can create an account where one of the parameters will create a server denial-of-service.

Product(s) Affected:Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7.
Fixed In:Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415.
Reporter:Internal
APPSEC-1885: Stored XSS in Product Name field
Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:6.6 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert script in the product name field, potentially resulting in a stored cross-site scripting that affects other administrators.

Product(s) Affected:Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7.
Fixed In:Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415.
Reporter:hodollsoft
APPSEC-1892: Stored XSS in Visual Merchandiser
Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:6.1 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can create a stored-cross site scripting attack in the Visual Merchaniser system.

Product(s) Affected:Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7.
Fixed In:Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415.
Reporter:magecraze
APPSEC-1894: Remote Code Execution by leveraging unsafe unserialization
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges  can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution.

Product(s) Affected:Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7.
Fixed In:Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415.
Reporter:pocallaghan
APPSEC-1897: Fix WSDL based patching to work with SOAP V1
Type:Patch Fix
CVSSv3 Severity:None
Known Attacks:None
Description:

Addresses an issue affecting a small number of customers to enable two prior patches to handle SOAP v1 interactions in WSDL.

Product(s) Affected:Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7.
Fixed In:Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415.
Reporter:Internal
APPSEC-1913: Remote Code Execution through Config Manipulation
Type:Remote Code Execution (RCE)
CVSSv3 Severity:7.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges can inject a malformed configuration bypass leading to a file redirection that can be leveraged in to arbitrary remote code execution.

Product(s) Affected:Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7.
Fixed In:Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415.
Reporter:pocallaghan
APPSEC-1914: Stored XSS in CMS Page Area
Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:6.1 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges  can create a page within the Content Management System (CMS) with an embedded cross-site scripting attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7.
Fixed In:Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415.
Reporter:pocallaghan
APPSEC-1915: Remote Code Execution in CMS Page Area
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges can create a specially crafted CMS page that can be parsed incorrectly, potentially leading to an arbitrary remote code execeution.

Product(s) Affected:Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7.
Fixed In:Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415.
Reporter:pocallaghan
APPSEC-1325: Stored XSS in Billing Agreements
Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:5.5 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can create Billing Agreements with embedded cross-site scripting elements that can subsequently lead to a stored cross-site scripting attack.

Product(s) Affected: Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2
Fixed In: Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1
Reporter:pocallaghan
APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges  can insert a widget block containing malicious code, creating an opportunity for  arbitrary remote code execution.

Product(s) Affected:Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2
Fixed In:Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1
Reporter:fabian
APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges  can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution.

Product(s) Affected:Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2
Fixed In:Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1
Reporter:fabian