New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

SUPEE-11219

October 8, 2019

SUPEE-11219, Magento Commerce 1.14.4.3 and Open Source 1.9.4.3 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Information on all the changes in 1.14.4.3 and 1.9.4.3 releases is available in the
Magento Commerce and
Magento Open Source release notes.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.4.1: SUPEE-11219 or upgrade to Magento Commerce 1.14.4.3.

  • Magento Open Source 1.5.0.0-1.9.4.1: SUPEE-11219 or upgrade to Magento Open Source 1.9.4.3.

To download a patch or release, choose from the following options:

Partners:

SUPEE-11086

Magento Commerce 1.14.4.3

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Version 1.x Releases > Version 1.14.4.3

SUPEE-11219

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches ‚Äì October 2019 

Magento Commerce Merchants:

Magento Commerce 1.14.4.3

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Version

1.x Releases > Version 1.14.4.3

SUPEE-11068

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – October 2019

Magento Open Source Merchants:

Magento Open Source 1.9.4.3

Magento Open Source Download Page > Release Archive Tab

SUPEE-11219

Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section

 

 

PRODSECBUG-2462: Remote code execution through file upload in Admin import feature (RCE) - CVE-2019-8114
Type: Remote Code Execution
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

An authenticated user with administrative privileges to import features can execute arbitrary code through a crafted configuration archieve file upload.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3
Reporter: sambecks
PRODSECBUG-2443: Remote code execution via crafted support configuration modification - CVE-2019-8125
Type: Remote Code Execution
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

A remote code execution vulnerability exists in Magento 1 prior to 1.9.x and 1.14.x. An authenticated admin user can modify configuration parameters via crafted support configuration. The modification can lead to remote code execution.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3.
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219
Reporter: Blaklis
PRODSECBUG-2443: Remote code execution through support/output path modification (RCE) - CVE-2019-8230
Type: Remote Code Execution
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

An authenticated user with administrative privileges to edit configuration settings  can execute arbitrary code through a crafted support/output path.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3.
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219
Reporter: Blaklis
PRODSECBUG-2427: Remote code execution through catalog attribute sets (RCE) - CVE-2019-8231
Type: Remote Code Execution
CVSSv3 Severity: 9.1
Known Attacks: None
Description:

An authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3.
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219
Reporter: Luke Rodgers
PRODSECBUG-2492: Remote code execution via product layout update - CVE-2019-8091
Type: Remote Code Execution
CVSSv3 Severity: 9
Known Attacks: None
Description:

A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3. An authenticated admin user with privileges to access product attributes can leverage layout updates to trigger remote code execution.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3.
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219
Reporter: Luke Rodgers
PRODSECBUG-2492: Remote code execution through catalog attributes (RCE) - CVE-2019-8229
Type: Remote Code Execution
CVSSv3 Severity: 9
Known Attacks: None
Description:

An authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3.
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219
Reporter: Luke Rodgers
PRODSECBUG-2415: Remote code execution due to a race condition in the import feature (RCE) - CVE-2019-8232
Type: Remote Code Execution
CVSSv3 Severity: 7.5
Known Attacks: None
Description:

An authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file modification.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3
Reporter: Robin Peraglie
PRODSECBUG-2328: Sensitive information is available in HTTP requests - CVE-2019-8155
Type: Information leakage
CVSSv3 Severity: 5.4
Known Attacks: None
Description:

Magento included a user's CSRF token in the URL of a GET request. This could be exploited by an attacker with access to network traffic to perform unauthorized actions.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3.
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219
Reporter: Pen-test
PRODSECBUG-2344: Cross-site scripting through the WYSIWYG editor (XSS) - CVE-2019-8152
Type: Cross-Site Scripting
CVSSv3 Severity: 4
Known Attacks: None
Description:

An authenticated user with access to the WYSIWYG editor can abuse the blockDirective() function and inject malicious JavaScript in the cache of the Admin.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3
Reporter: Simon Scannell
PRODSECBUG-2517: Stored cross-site scripting through new profile action XML - CVE-2019-8227
Type: Cross-Site Scripting
CVSSv3 Severity: 4
Known Attacks: None
Description:

An authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import / export functionality when creating profile action XML.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3.
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219
Reporter: Djordje Marjanovic
PRODSECBUG-2515: Stored cross-site scripting through transactional emails page when creating new email template - CVE-2019-8228
Type: Cross-Site Scripting
CVSSv3 Severity: 4
Known Attacks: None
Description:

An authenticated user with limited administrative privileges can inject arbitrary JavaScript code into transactional email page when creating a new email template or editing existing email template.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3.
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219
Reporter: Djordje Marjanovic
PRODSECBUG-2445: Insufficient logging and monitoring of configuration changes - CVE-2019-8123
Type: Insufficient logging and monitoring
CVSSv3 Severity: 3.3
Known Attacks: None
Description:

The logging feature that is required for effective monitoring did not contain sufficent data to effectively track configuration changes.

Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3
Reporter: Internal employee

Please refer to
Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.