SUPEE-11219
October 8, 2019
SUPEE-11219, Magento Commerce 1.14.4.3 and Open Source 1.9.4.3 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.
Information on all the changes in 1.14.4.3 and 1.9.4.3 releases is available in the
Magento Commerce and
Magento Open Source release notes.
Patches and upgrades are available for the following Magento versions:
-
Magento Commerce 1.9.0.0-1.14.4.1: SUPEE-11219 or upgrade to Magento Commerce 1.14.4.3.
-
Magento Open Source 1.5.0.0-1.9.4.1: SUPEE-11219 or upgrade to Magento Open Source 1.9.4.3.
To download a patch or release, choose from the following options:
Partners:
SUPEE-11086
|
Magento Commerce 1.14.4.3 |
Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Version 1.x Releases > Version 1.14.4.3 |
|
SUPEE-11219 |
Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – October 2019 |
Magento Commerce Merchants:
|
Magento Commerce 1.14.4.3 |
My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Version |
|
SUPEE-11068 |
My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – October 2019 |
Magento Open Source Merchants:
|
Magento Open Source 1.9.4.3 |
Magento Open Source Download Page > Release Archive Tab |
|
SUPEE-11219 |
Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section |
| PRODSECBUG-2462: Remote code execution through file upload in Admin import feature (RCE) - CVE-2019-8114 | |
|---|---|
| Type: | Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | None |
| Description: |
An authenticated user with administrative privileges to import features can execute arbitrary code through a crafted configuration archieve file upload. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
| Fixed In: | Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3 |
| Reporter: | sambecks |
| PRODSECBUG-2443: Remote code execution via crafted support configuration modification - CVE-2019-8125 | |
|---|---|
| Type: | Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | None |
| Description: |
A remote code execution vulnerability exists in Magento 1 prior to 1.9.x and 1.14.x. An authenticated admin user can modify configuration parameters via crafted support configuration. The modification can lead to remote code execution. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3. |
| Fixed In: | Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219 |
| Reporter: | Blaklis |
| PRODSECBUG-2443: Remote code execution through support/output path modification (RCE) - CVE-2019-8230 | |
|---|---|
| Type: | Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | None |
| Description: |
An authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3. |
| Fixed In: | Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219 |
| Reporter: | Blaklis |
| PRODSECBUG-2427: Remote code execution through catalog attribute sets (RCE) - CVE-2019-8231 | |
|---|---|
| Type: | Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | None |
| Description: |
An authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3. |
| Fixed In: | Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219 |
| Reporter: | Luke Rodgers |
| PRODSECBUG-2492: Remote code execution via product layout update - CVE-2019-8091 | |
|---|---|
| Type: | Remote Code Execution |
| CVSSv3 Severity: | 9 |
| Known Attacks: | None |
| Description: |
A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3. An authenticated admin user with privileges to access product attributes can leverage layout updates to trigger remote code execution. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3. |
| Fixed In: | Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219 |
| Reporter: | Luke Rodgers |
| PRODSECBUG-2492: Remote code execution through catalog attributes (RCE) - CVE-2019-8229 | |
|---|---|
| Type: | Remote Code Execution |
| CVSSv3 Severity: | 9 |
| Known Attacks: | None |
| Description: |
An authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3. |
| Fixed In: | Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219 |
| Reporter: | Luke Rodgers |
| PRODSECBUG-2415: Remote code execution due to a race condition in the import feature (RCE) - CVE-2019-8232 | |
|---|---|
| Type: | Remote Code Execution |
| CVSSv3 Severity: | 7.5 |
| Known Attacks: | None |
| Description: |
An authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file modification. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
| Fixed In: | Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3 |
| Reporter: | Robin Peraglie |
| PRODSECBUG-2328: Sensitive information is available in HTTP requests - CVE-2019-8155 | |
|---|---|
| Type: | Information leakage |
| CVSSv3 Severity: | 5.4 |
| Known Attacks: | None |
| Description: |
Magento included a user's CSRF token in the URL of a GET request. This could be exploited by an attacker with access to network traffic to perform unauthorized actions. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3. |
| Fixed In: | Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219 |
| Reporter: | Pen-test |
| PRODSECBUG-2344: Cross-site scripting through the WYSIWYG editor (XSS) - CVE-2019-8152 | |
|---|---|
| Type: | Cross-Site Scripting |
| CVSSv3 Severity: | 4 |
| Known Attacks: | None |
| Description: |
An authenticated user with access to the WYSIWYG editor can abuse the blockDirective() function and inject malicious JavaScript in the cache of the Admin. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
| Fixed In: | Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3 |
| Reporter: | Simon Scannell |
| PRODSECBUG-2517: Stored cross-site scripting through new profile action XML - CVE-2019-8227 | |
|---|---|
| Type: | Cross-Site Scripting |
| CVSSv3 Severity: | 4 |
| Known Attacks: | None |
| Description: |
An authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import / export functionality when creating profile action XML. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3. |
| Fixed In: | Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219 |
| Reporter: | Djordje Marjanovic |
| PRODSECBUG-2515: Stored cross-site scripting through transactional emails page when creating new email template - CVE-2019-8228 | |
|---|---|
| Type: | Cross-Site Scripting |
| CVSSv3 Severity: | 4 |
| Known Attacks: | None |
| Description: |
An authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3. |
| Fixed In: | Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219 |
| Reporter: | Djordje Marjanovic |
| PRODSECBUG-2445: Insufficient logging and monitoring of configuration changes - CVE-2019-8123 | |
|---|---|
| Type: | Insufficient logging and monitoring |
| CVSSv3 Severity: | 3.3 |
| Known Attacks: | None |
| Description: |
The logging feature that is required for effective monitoring did not contain sufficent data to effectively track configuration changes. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 |
| Fixed In: | Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3 |
| Reporter: | Internal employee |
Please refer to
Security Best Practices for additional information on how to secure your site.
Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.