SUPEE-10570
February 27, 2018
SUPEE-10570, Magento Commerce 1.14.3.8 and Open Source 1.9.3.8 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS, and other issues. These releases also include small functional fixes listed in the release notes.
NOTE:
Magento was recently informed about an issue with both patch SUPEE-10570 and Magento versions 1.9.3.8/1.14.3.8 that could result in the inability of customers to complete checkout when trying to register during checkout. Magento is now providing an updated patch (SUPEE-10570v2) that no longer causes this issue. Note, however, that this new patch no longer protects against two low risk session handling-related security issues that patch SUPEE-10570 protected against.
If you have not yet applied SUPEE-10570v1, do not apply it, but instead patch your store with SUPEE-10570v2. If you have already applied SUPEE-10570v1, please first uninstall SUPEE-10570v1, then install SUPEE-10570v2. All stores should be patched with SUPEE-10570v2 as Magento will use this patch as a base for future patch versions.
Note:
If the patch fails to apply while patching lib/Zend/Mail/Transport/Sendmail.php, it might mean your Magento installation was previously patched with SUPEE-9652v1 instead of SUPEE-9652v2. The recommended solution is to revert patch SUPEE-9652v1 and apply SUPEE-9652v2 prior to applying SUPEE-10570.
Information on all the changes in 1.14.3.8 and 1.9.3.8 releases is available in the Magento Commerce and Magento Open Source release notes.
Patches and upgrades are available for the following Magento versions:
-
Magento Commerce 1.9.0.0-1.14.3.7: SUPEE-10570 or upgrade to Magento Commerce 1.14.3.8
-
Magento Open Source 1.5.0.0-1.9.3.7: SUPEE-10570 or upgrade to Magento Open Source 1.9.3.8
To download a patch or release, choose from the following options:
Partners:
|
Magento Commerce 1.14.3.8 |
Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Version 1.x Releases > Version 1.14.3.8 |
|
SUPEE-10570 |
Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – February 2018 |
Magento Commerce Merchants:
|
Magento Commerce 1.14.3.8 |
My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Version |
|
SUPEE-10570 |
My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – February 2018 |
Magento Open Source Merchants:
|
Magento Open Source 1.9.3.8 |
Magento Open Source Download Page > Release Archive Tab |
|
SUPEE-10570 |
Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section |
| APPSEC-1932: Remote Code Execution Using XML Injection | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 9.8 (High) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert injectable XML into the layout table, which can create an opportunity for remote code execution. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570 |
| Reporter: | Peter O'Callaghan |
| APPSEC-1938: Remote Code Execution - additional fix not included in SUPEE-9652 | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 9.8 (High) |
| Known Attacks: | None |
| Description: | A user can insert information in a return path, thereby storing information on the file system that could lead to Remote Code Execution (RCE). |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570 |
| Reporter: | Cipriano Groenendal |
| APPSEC-1964: Remote Code Execution by (semi-)arbitrary file deletion for admin users with access to Import. | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 9.8 (High) |
| Known Attacks: | None |
| Description: | An administrator with Import permissions can import an XML file that could potentially provide an opportunity for Remote Code Execution (RCE). |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570 |
| Reporter: | Fabain |
| APPSEC-2000: Remote Code Execution in Staging Environment | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 7.2 (High) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can inject a malformed configuration bypass, which could potentially lead to a file redirection that could be leveraged for arbitrary remote code execution. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570 |
| Reporter: | Peter O'Callaghan |
| APPSEC-1994: Cross-Site Request Forgery in Store Backups | |
|---|---|
| Type: | Cross-Site Request Forgery (CSRF) |
| CVSSv3 Severity: | 6.4 (Medium) |
| Known Attacks: | None |
| Description: | An administrator can be tricked into performing a system backup by an attacker who has crafted a targeted Cross-Site Request forgery (CSRF) attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Boskostan |
| APPSEC-1878/1890: Cross-site Scripting in CMS hierarchy | |
|---|---|
| Type: | Cross-site Scripting (XSS) - stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert script into the CMS hierarchy, which could potentially result in a stored cross-site scripting that affects other administrators. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.2.3 |
| Reporter: | Max Chadwick and Magecraze |
| APPSEC-1908/1948: Cross-site Scripting in Custom Variables | |
|---|---|
| Type: | Cross-site Scripting (XSS) - stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert script in the custom variables name field, which could potentially result in stored cross-site scripting that affects other administrators. |
| Product(s) Affected: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Fixed In: | Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Reporter: | Magecraze |
| APPSEC-1916: Cross-site Scripting in Attribute Group Name | |
|---|---|
| Type: | Cross-site Scripting (XSS) - stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert script in the attribute group name field, which could potentially result in stored cross-site scripting that affects other administrators. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Magecraze |
| APPSEC-1928: Cross-site Scripting in Downloadable Products | |
|---|---|
| Type: | Cross-site Scripting (XSS) - stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert script in the downloadable product link title field, which could subsequently lead to a stored cross-site scripting attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Magecraze |
| APPSEC-1945: Cross-site Scripting in Product SKU | |
|---|---|
| Type: | |
| CVSSv3 Severity: | |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert script in the RMA SKU field, which could potentially result in a stored cross-site scripting attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Magecraze |
| APPSEC-1973: Cross-site Scripting in Newsletter Template | |
|---|---|
| Type: | Cross-site Scripting (XSS) - stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can embed cross-site scripting elements in the Newsletter template, which could potentially lead to a stored cross-site scripting attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Peter O'Callaghan |
| APPSEC-1873/1979/1980: Cross-site Scripting in Site Settings | |
|---|---|
| Type: | Cross-site Scripting (XSS) - stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can embed cross-site scripting elements in the Website Name/Store View Name setting, which could potentially lead to a stored cross-site scripting attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Max Chadwick and Peter O'Callaghan |
| APPSEC-1995: Cross-site Scripting in Downloadable Products | |
|---|---|
| Type: | Cross-site Scripting (XSS) - stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert arbitrary code into product fields, which could potentially lead to a stored cross-site scripting attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Boskostan |
| APPSEC-1889: Cross-Site Request Forgery Protection Bypass | |
|---|---|
| Type: | Cross-Site Request Forgery (CSRF) |
| CVSSv3 Severity: | 4.9 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can craft a cross-site request to perform requests on behalf of another administrator. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Fabain |
| APPSEC-1553: Access to Gift Registries of Other Users | |
|---|---|
| Type: | Insecure Direct Object Reference (IDOR) |
| CVSSv3 Severity: | 4.8 (Medium) |
| Known Attacks: | None |
| Description: | A user can view gift registries that do not belong to them. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Peter O'Callaghan |
| APPSEC-1026: Session Management (not included in SUPEE-10570v2) | |
|---|---|
| Type: | Session Management |
| CVSSv3 Severity: | 3.9 (Low) |
| Known Attacks: | None |
| Description: | Active sessions persist after a password change. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570 |
| Reporter: | Vishnu_Vardhan_Reddy |
| APPSEC-1937: Insufficient privilege seperation | |
|---|---|
| Type: | Information Exposure |
| CVSSv3 Severity: | 3.9 (Low) |
| Known Attacks: | None |
| Description: | Weak protection checking can potentially lead to privilege escalation or information disclosure. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Peter O'Callaghan |
| APPSEC-1967/APPSEC-1972: Password Change Session Management (not included in SUPEE-10570v2) | |
|---|---|
| Type: | Session Management |
| CVSSv3 Severity: | 3.4 (Low) |
| Known Attacks: | None |
| Description: | Magento did not previously terminate existing sessions when the currently logged-in user changed his or her password. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Internal |
Please refer to Security Best Practices for additional information on how to secure your site.
Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.