New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

SUPEE-11155

June 25, 2019

SUPEE-11155, Magento Commerce 1.14.4.2 and Open Source 1.9.4.2 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Information on all the changes in 1.14.4.2 and 1.9.4.2 releases is available in the Magento Commerce and Magento Open Source release notes.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.4.1: SUPEE-11155 or upgrade to Magento Commerce 1.14.4.2.

  • Magento Open Source 1.5.0.0-1.9.4.1: SUPEE-11155 or upgrade to Magento Open Source 1.9.4.2.

To download a patch or release, choose from the following options:

Partners:

SUPEE-11086

Magento Commerce 1.14.4.2

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Version 1.x Releases > Version 1.14.4.2

SUPEE-11155

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – June 2019 

Magento Commerce Merchants:

Magento Commerce 1.14.4.2

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Version
1.x Releases > Version 1.14.4.2

SUPEE-11068

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – June 2019

Magento Open Source Merchants:

Magento Open Source 1.9.4.2

Magento Open Source Download Page > Release Archive Tab

SUPEE-11155

Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section

 

 

PRODSECBUG-2289: Arbitrary code execution in the advanced admin logging configuration - CVE-2019-7893
Type:General: Remote Code Execution
CVSSv3 Severity:9.1
Known Attacks:none
Description:

A user with administrator privileges and access to the advanced admin logging configuration can trigger remote code execution via PHP Object Injection.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Luke Rodgers
PRODSECBUG-2262: Arbitrary code execution by importing malicious dataflow profiles - CVE-2019-7884
Type:General: Remote Code Execution
CVSSv3 Severity:9.1
Known Attacks:none
Description:

An authenticated user with privileges to edit block permission, import dataflow functionality, and modify CMS content can execute arbitrary code by importing malicious dataflow profiles.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Peter O'Callaghan
PRODSECBUG-2351: Arbitrary code execution via crafted sitemap creation - CVE-2019-7932
Type:General: Remote Code Execution
CVSSv3 Severity:9.0
Known Attacks:none
Description:

An authenticated user with admin privileges to create sitemaps can execute arbitrary code by crafted filenames that include php extension within the XML filename.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Simon Scannell
PRODSECBUG-2324: PHP Object Injection in the Currency setup feature can lead to arbitrary code execution - CVE-2019-7914
Type:General: Remote Code Execution
CVSSv3 Severity:9.0
Known Attacks:none
Description:

A PHP Object Injection vulnerability in the currency setup feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Max Chadwick
PRODSECBUG-2382: PHP Object Injection in the Admin Actions Logging feature can lead to arbitrary code execution - CVE-2019-7946
Type:General: Remote Code Execution
CVSSv3 Severity:8.7
Known Attacks:none
Description:

A PHP Object Injection vulnerability in the admin actions logging configuration feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Max Chadwick
PRODSECBUG-2312: PHP Object Injection in the Model Design Package can lead to arbitrary code execution - CVE-2019-7906
Type:Injections: SQL Injection
CVSSv3 Severity:8.7
Known Attacks:none
Description:

A PHP Object Injection vulnerability in the model design package can be exploited by an authenticated user with administrator privileges to execute arbitrate code.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Max Chadwick
PRODSECBUG-2311: PHP Object Injection in the Enterprise Logging feature can lead to arbitrary code execution - CVE-2019-7905
Type:Injections: SQL Injection
CVSSv3 Severity:8.7
Known Attacks:none
Description:

A PHP Object Injection vulnerability in the enterprise logging configuration feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Max Chadwick
PRODSECBUG-2431: Remote code execution via dataflow import and catalog functionality - CVE-2019-7952
Type:General: Remote Code Execution
CVSSv3 Severity:8.4
Known Attacks:none
Description:

An authenticated user with admin privileges can execute arbitrary code via layout upates when using crafted combination of data flow import and catalog categories .

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Internal Penetration Testing
PRODSECBUG-2320: Arbitrary code execution due to unsafe handling of system configuration - CVE-2019-7911
Type:General: Remote Code Execution
CVSSv3 Severity:7.9
Known Attacks:none
Description:

An authenticated user with admin privileges to manipulate system configuration can execute arbitrary code through server-side request forgery.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2319: Arbitrary code execution due to unsafe handling of payment bridge gateway - CVE-2019-7910
Type:General: Remote Code Execution
CVSSv3 Severity:7.9
Known Attacks:none
Description:

An authenticated user with admin privileges to manipulate payment methods can execute arbitrary code through server-side request forgery.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Max Chadwick
PRODSECBUG-2313: Arbitrary code execution due to unsafe deserialization of configuration fields - CVE-2019-7907
Type:General: Remote Code Execution
CVSSv3 Severity:7.6
Known Attacks:none
Description:

An authenticated user with configuration privileges can execute arbitrary code due to unserialization of user controlled configuration values.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Edgar Boda-Majer
PRODSECBUG-2317: Stored cross-site scripting in admin panel - CVE-2019-7909
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Peter O'Callaghan
PRODSECBUG-2226: Stored cross-site scripting in the admin panel - CVE-2019-7875
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Roberto Suggi Liverani 
PRODSECBUG-2352: Stored cross-site scripting in the admin panel - CVE-2019-7933
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Roberto Suggi Liverani 
PRODSECBUG-2334: Stored cross-site scripting in the admin panel - CVE-2019-7920
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Max Chadwick
PRODSECBUG-2333: Stored cross-site scripting in the admin panel - CVE-2019-7919
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Max Chadwick
PRODSECBUG-2275: Unsafe functionality is exposed via email templates manipulation - CVE-2019-7889
Type:General: injection
CVSSv3 Severity:5.5
Known Attacks:none
Description:

An authenticated user with marketing manipulation privileges can invoke methods that alter data of the underlying model followed by corresponding database modifications.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Blaklis
PRODSECBUG-2299: Stored cross-site scripting in the admin panel - CVE-2019-7897
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Karim El Ouerghemmi 
PRODSECBUG-2304: Stored cross-site scripting in the admin panel - CVE-2019-7901
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Max Chadwick
PRODSECBUG-2303: Stored cross-site scripting in the admin panel - CVE-2019-7900
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Max Chadwick
PRODSECBUG-2234: Stored cross-site scripting in the admin panel - CVE-2019-7878
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Peter O'Callaghan
PRODSECBUG-2380: Stored cross-site scripting in the Currency Symbols field - CVE-2019-7945
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

An authenticated user with privileges to the Currency Symbols functionality can inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Internal Penetration Testing
PRODSECBUG-2353: Stored cross-site scripting in the admin panel - CVE-2019-7934
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Roberto Suggi Liverani 
PRODSECBUG-2363: Stored cross-site scripting in the admin panel - CVE-2019-7935
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2371: Stored cross-site scripting in the admin panel - CVE-2019-7940
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Max Chadwick
PRODSECBUG-2378: Stored cross-site scripting in the Return Product comments feature - CVE-2019-7944
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the product comments field. Authenticated user with privileges to the Return Product comments field can inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Internal Penetration Testing
PRODSECBUG-2369: Stored cross-site scripting in the admin panel - CVE-2019-7938
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Karim El Ouerghemmi 
PRODSECBUG-2068: Stored cross-site scripting in the admin panel - CVE-2019-7848
Type:General: cross-site scripting
CVSSv3 Severity:5.5
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Luke Rodgers
PRODSECBUG-2295: Use of cryptographically weak PRNG when autogenerating gift card codes - CVE-2019-7894
Type:General: Cryptographic/Encryption/Hashing Flaw
CVSSv3 Severity:5.3
Known Attacks:none
Description:

An authenticated user can discover regularity in automated gift card generation due to use of cryptographically weak pseudo random number generator.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Max Chadwick
PRODSECBUG-2300: Information about disabled products can be leaked due to inadequate validation checks - CVE-2019-7898
Type:General: Information Leakage
CVSSv3 Severity:5.3
Known Attacks:none
Description:

Inadequate validation can lead to disclosure of downloadable product samples even if marked as disabled.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Edgar Boda-Majer
PRODSECBUG-2241: Email functionality can be abused for SPAM or spoofing activities - CVE-2019-7879
Type:Others: Denial of Service
CVSSv3 Severity:5.3
Known Attacks:none
Description:

The default configuration of the Magento "Email to a friend" feature can be abused by an attacker to send SPAM or spoofed emails.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:KAnev
PRODSECBUG-2270: Reflected cross-site scripting in the admin panel - CVE-2019-7887
Type:General: cross-site scripting
CVSSv3 Severity:5.0
Known Attacks:none
Description:

A reflected cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:SmashITs
PRODSECBUG-2282: Deletion of terms and Conditions via cross-site request forgery (CSRF) - CVE-2019-7891
Type:General: Cross Site Request Forgery
CVSSv3 Severity:5.0
Known Attacks:none
Description:

An attacker can delete Terms and Conditions within the context of an authenticated administrator's session through cross-site request forgery (CSRF)

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Djordje Marjanovic
PRODSECBUG-2246: Stored cross-site scripting in the WYSIWYG editor - CVE-2019-7882
Type:General: injection
CVSSv3 Severity:4.8
Known Attacks:none
Description:

A stored cross-site scripting vulnerability exists in the WYSIWYG editor. This could be exploited by an authenticated user with privileges to the editor to inject malicious SWF files.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:KAnev
PRODSECBUG-2395: Customer passwords are stored as plain-text in the accounts database when certain error conditions exist - CVE-2019-7948
Type:General: Cryptographic/Encryption/Hashing Flaw
CVSSv3 Severity:4.5
Known Attacks:none
Description:

A privileged administrator with access to the accounts database can read plain-text passwords when certain error conditions occur in the account creation process.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Kevin Schroeder
PRODSECBUG-2301: Names of disabled products can be leaked due to inadequate validation checks - CVE-2019-7899
Type:General: Information Leakage
CVSSv3 Severity:4.3
Known Attacks:none
Description:

Inadequate validation can lead to disclosure of product names even if marked as disabled.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Edgar Boda-Majer
PRODSECBUG-2331: Weak password requirements when registering an account - CVE-2019-7918
Type:General: Cryptographic/Encryption/Hashing Flaw
CVSSv3 Severity:4.3
Known Attacks:none
Description:

Users can set weak password when registering for new accounts making it amenable to brute-force attacks. 

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Internal Penetration Testing
PRODSECBUG-2095: Defense-in-depth session validation check implemented - CVE-2019-7849
Type:Privilege Escalation & Enumeration: Broken Authentication and Session Management
CVSSv3 Severity:3.7
Known Attacks:none
Description:

A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Roger-Keulen
PRODSECBUG-2330: Insecure user credential storage - CVE-2019-7917
Type:General: Cryptographic/Encryption/Hashing Flaw
CVSSv3 Severity:3.7
Known Attacks:none
Description:

User passwords are stored using an algorithm that is insufficiently resistant against brute force attacks.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Internal Penetration Testing
PRODSECBUG-2329: Use of insufficiently random values in multiple security relevant contexts - CVE-2019-7916
Type:General: Cryptographic/Encryption/Hashing Flaw
CVSSv3 Severity:3.7
Known Attacks:none
Description:

Cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts (e.g., anti-CSRF tokens) allowing malicious user to predict random values.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Internal Penetration Testing
PRODSECBUG-1912: Insecure Direct Object Reference (IDOR) vulnerability can remove gift registry recipients - CVE-2019-7847
Type:Privilege Escalation & Enumeration: Insecure Direct Object Reference
CVSSv3 Severity:3.7
Known Attacks:none
Description:

An Insecure Direct Object Reference (IDOR) vulnerability in the gift registry feature can lead to unauthorized removal of gift recipient details.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Peter O'Callaghan
PRODSECBUG-2387: Cross site request forgery attacks are possible via the gift card removal feature - CVE-2019-7947
Type:General: Cross Site Request Forgery
CVSSv3 Severity:3.1
Known Attacks:none
Description:

A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2
Reporter:Anonymously reported
PRODSECBUG-2305: Deletion of reviews via cross-site request forgery (CSRF) - CVE-2019-7902
Type:General: Cross Site Request Forgery
CVSSv3 Severity:2.2
Known Attacks:none
Description:

A cross-site request forgery (CSRF) bug in the reviews feature could be abused to delete a customer review.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Djordje Marjanovic
PRODSECBUG-2372: PHP Object Injection in the Currency setup feature can lead to arbitrary code execution -
Type:General: Remote Code Execution
CVSSv3 Severity:
Known Attacks:none
Description:

A PHP Object Injection vulnerability in the currency setup feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.

Product(s) Affected:Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2.
Fixed In:Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155
Reporter:Max Chadwick

Please refer to Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.