New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

SUPEE-11086

March 26, 2019

SUPEE-11086, Magento Commerce 1.14.4.1 and Open Source 1.9.4.1 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Information on all the changes in 1.14.4.1 and 1.9.4.1 releases is available in the Magento Commerce and Magento Open Source release notes.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.4.0: SUPEE-11086 or upgrade to Magento Commerce 1.14.4.1.

  • Magento Open Source 1.5.0.0-1.9.4.0: SUPEE-11086 or upgrade to Magento Open Source 1.9.4.1.

To download a patch or release, choose from the following options:

Partners:

Magento Commerce 1.14.4.1

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Version 1.x Releases > Version 1.14.4.1

SUPEE-11086

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – March 2019 

Magento Commerce Merchants:

Magento Commerce 1.14.4.1

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Version
1.x Releases > Version 1.14.4.1

SUPEE-11068

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – March 2019

Magento Open Source Merchants:

Magento Open Source 1.9.4.1

Magento Open Source Download Page > Release Archive Tab

SUPEE-11086

Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section

 

 

PRODSECBUG-2198: SQL Injection vulnerability through an unauthenticated user
Type:Injections: SQL
CVSSv3 Severity:9.0
Known Attacks:none
Description:

An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:cfreal
PRODSECBUG-2285: Remote code execution via server side request forgery issued to Redis
Type:General: Remote Code Execution
CVSSv3 Severity:8.5
Known Attacks:none
Description:

An authenticated user with administrative privileges to store configuration can execute arbitrary code via server side request forgery (SSRF) issued to Redis. SSRF is are facilitated through crafted gateway XML URL configuration.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:Max Chadwick
PRODSECBUG-2273: Arbitrary code execution due to unsafe handling of a malicious product attribute configuration
Type:General: Remote Code Execution
CVSSv3 Severity:8.5
Known Attacks:none
Description:

An authenticated user with privileges to configure products can execute arbitrary PHP code.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:Blaklis_
PRODSECBUG-2261: Arbitrary code execution due to unsafe deserialization of a PHP archive
Type:General: Remote Code Execution
CVSSv3 Severity:8.5
Known Attacks:none
Description:

An authenticated user with administrative privileges can execute arbitrary code through a Phar deserialization vulnerability.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:Simon Scannell
PRODSECBUG-2253: Arbitrary code execution due to unsafe handling of a malicious layout update
Type:General: Remote Code Execution
CVSSv3 Severity:8.5
Known Attacks:none
Description:

An authenticated user with privileges to the dataflow importer and catalog categories can execute arbitrary PHP code.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:Luke Rodgers
PRODSECBUG-2203: Remote code execution through PHP code that can be uploaded to the ngnix server due to crafted customer store attributes
Type:General: Remote Code Execution
CVSSv3 Severity:8.5
Known Attacks:none
Description:

An authenticated user with privileges to modify a customer’s store attributes can execute arbitrary code when allowed to upload PHP input files to the ngnix server.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:Max Chadwick
PRODSECBUG-2210: Remote code execution through arbitrary XML data sent through a layout table
Type:General: Remote Code Execution
CVSSv3 Severity:8.5
Known Attacks:none
Description:

An authenticated user with administrative privileges to modify layouts can execute arbitrary code by injecting arbitrary XML data into a layout table.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:Pete O'Callaghan
PRODSECBUG-2252: Arbitrary code execution through bypass of PHP file upload restriction
Type:General: Remote Code Execution
CVSSv3 Severity:8.5
Known Attacks:none
Description:

An authenticated user with privileges to system configuration files can bypass file upload restrictions and allow arbitrary upload and execution of arbitrary PHP code.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:Luke Rodgers
PRODSECBUG-2232: Arbitary code execution due to bypass of layout validator
Type:General: Remote Code Execution
CVSSv3 Severity:8
Known Attacks:none
Description:

An authenticated user with privileges can bypass the layout validator and execute arbitrary code through layout updates in the Admin.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:Pete O'Callaghan
PRODSECBUG-2245: Stored cross-site scriptingin the escaper framework
Type:General: Cross Site Scripting
CVSSv3 Severity:7.6
Known Attacks:none
Description:

An authenticated user with administrative privileges can eecute arbitrary script code via a stored cross site scripting vulnerability using new line in escaper framework.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:Max Chadwick
PRODSECBUG-2182: Reflected cross-site scriptingin the product widget chooser section of the Admin
Type:General: Cross Site Scripting
CVSSv3 Severity:6.5
Known Attacks:none
Description:

An authenticated user with administrative privileges can embed arbitrary code in the product widget chooser section of the Admin.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:magecraze
MPERF-10416: Deletion of Catalog rules through  cross-site request forgery
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.8
Known Attacks:none
Description:

An attacker can use cross-site request forgery to delete Catalog rules within the context of an authenticated administrator's session.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:Internal
MPERF-10400: Deletion of Catalog products through  cross-site request forgery
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.8
Known Attacks:None
Description:

An attacker can use cross-site request forgery to delete Catalog products within the context of an authenticated administrator's session.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:Internal
PRODSECBUG-2178: Stored cross-site scripting in the admin panel via the Admin Shopping Cart Rules page
Type:General: Cross Site Scripting
CVSSv3 Severity:5.8
Known Attacks:none
Description:

An authenticated user with administrative privileges can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:magecraze
PRODSECBUG-2227: Deletion of SOAP/XML-RPC-User and SOAP/XML-RPC-Role through cross-site request forgery
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.8
Known Attacks:none
Description:

An attacker can delete SOAP/XML-RPC-User and SOAP/XML-RPC-Role within the context of an authenticated administrator's session through cross-site request forgery.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:djordje-marjanovic
PRODSECBUG-2222: Deletion of user roles through cross-site request forgery
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.8
Known Attacks:none
Description:

An attacker can delete user roles through cross-site request forgery within the context of an authenticated administrator's session.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:djordje-marjanovic
PRODSECBUG-2220: Deletion of store design schedule through cross-site request forgery
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.8
Known Attacks:none
Description:

An attacker can delete the store design schedule within the context of an authenticated administrator's session through cross-site request forgery.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:djordje-marjanovic
PRODSECBUG-2212: Deletion of shopping cart price rules through cross-site request forgery
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.8
Known Attacks:none
Description:

An attacker can delete the shopping cart price rules within the context of an authenticated administrator's session through cross-site request forgery.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:magecraze
PRODSECBUG-2254: Deletion of REST-Role and REST-OAuth Consumer, and change of REST-Attribute via cross-site request forgery
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.8
Known Attacks:none
Description:

An attacker can delete REST-Role and REST-OAuth Consumer, and change REST-Attribute within the context of authenticated administrator's session via cross-site request forgery.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:djordje-marjanovic
PRODSECBUG-2195: Deletion of a product attribute through cross-site request forgery
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.8
Known Attacks:none
Description:

An attacker can delete a product attribute within the context of authenticated administrator's session through cross-site request forgery.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:djordje-marjanovic
PRODSECBUG-2225: Deletion of an Admin user through cross-site request forgery
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.8
Known Attacks:none
Description:

An attacker can delete an administrative user through cross-site request forgery within the context of an authenticated administrator's session.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:djordje-marjanovic
PRODSECBUG-2244: Stored cross-site scripting in the Admin through the Email Template Preview section
Type:General: Cross Site Scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

An authenticated user with privileges can embed malicious code in the Email Template Preview section of the Admin.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:Roberto Suggi Liverani
PRODSECBUG-2230: Data manipulation due to improper validation
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.4
Known Attacks:none
Description:

An authenticated usercan manipulate datawithout required validation.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:Pete O'Callaghan
PRODSECBUG-2197: Admin credentials are logged in exception reports
Type:Information Disclousure
CVSSv3 Severity:3.9
Known Attacks:none
Description:

Exception error reports capture administrative credentials in clear text format

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
Reporter:magecraze, Matt Hamm
PRODSECBUG-2186: Unauthorized access to the order list through an insecure direct object reference in the application.
Type:Privilege Escalation & Enumeration: Insecure Direct Object Reference
CVSSv3 Severity:3.7
Known Attacks:none
Description:

A registered user can enumerate and access an unauthorized order list through insecure direct object reference in the application.

Product(s) Affected:Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1.
Fixed In:Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086
Reporter:Roberto Suggi Liverani

Please refer to Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.