free
web stats

Fill the form & Get Installation Support

We don't monkey around your business.

GET IN TOUCH WITH US NOW





Security Update for Magento 2.3.1, 2.2.8 and 2.1.17


Magento is one of the most trusted eCommerce platforms has faced a few security-related problems. That’s the reason why Magneto releases its new version and security patches on a regular interval to guard against unexpected vulnerabilities.

To enhance product security, performance and functionality, Magento recently released security patches including other updates for the new versions of Magento Commerce and Open Source:

  • Magento Commerce and Open Source 2.3.1
  • Magento Commerce and Open Source 2.2.8
  • Magento Commerce and Open Source 2.1.17
  • Magento Commerce 1.14.4.1
  • Magento Open Source 1.9.4.1
  • SUPEE-11086 to patch earlier Magento 1.x versions

There were various high CVSSv3 severity issues that affect the product Magento Open Source prior to 1.9.4.1 and Magneto Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1.

Below is the latest security update that is addressed to some high severity Magento vulnerabilities:
 

Issue Type: Remote Code Execution (RCE)

 

CVSSv3 Severity Security Bug Description
9.8 Remote code execution though crafted newsletter and email templates An administrator user with access to the Braintree payment method configuration can trigger remote code execution through PHP object injection.
9.1 Remote code execution via email template An authenticated user has right to execute arbitrary code via email template.
8.5 An Unsafe deserialization of a PHP archive can lead to Arbitrary execution An authenticated user can execute arbitrary code via Phar deserialization vulnerability.
8.5 The unsafe handling of an API call to a core bundled extension leads to Arbitrary code execution (Magento Shipping) An authenticated user can configure store settings to execute arbitrary code execution through server-side request forgery.
8.5 To execute arbitrary code through PHP archive deserialization vulnerability, An authenticated user can configure email templates. The upload settings for B2B quote files are open to remote code execution attacks.

 

Issue Type: SQL Injection and cross-site scripting

 

7.7 Cross-site scripting and SQL injection vulnerability in catalog section (XSS) An authenticated user will embed malicious code via a stored cross-site scripting or SQL injection vulnerability in the catalog section by changing attribute_code.
7.2 SQL injection vulnerability can come through an authenticated user An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.
6.5 SQL injection happens because of inadequate validation of user input. To execute arbitrary SQL queries, An authenticated user can configure email templates.

 

Issue Type: Cross Site Scripting

 

6.5 Admin Customer Segments area has cross-site scripting. An authenticated user will embed malicious code via a stored cross-site scripting or SQL injection vulnerability in the catalog section by changing attribute_code.
6.3 Reflected cross-site scripting vulnerability in the Admin via the requisition list ID To embed malicious code, an authenticated user can use a cross-site scripting vulnerability
5.8 Stored cross-site scripting in the admin panel through the Admin Shopping Cart Rules page An authenticated user can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page.
5.8 Cross-site request forgery can delete product attribute. An attacker can delete a product attribute within the context of authenticated administrator’s session through cross-site request forgery.
5.8 Stored cross-site scripting in the admin panel through the Admin Shopping Cart Rules page An authenticated user can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page.
5.7 Cross-site request forgery vulnerability can lead to deletion of synonym groups. An attacker can delete all synonyms groups within the context of an authenticated administrator’s session through cross-site request forgery.

 

Source: Magento

To ensure the best security and performance, Magento has highly recommended deploying these new releases right away. You should implement and test the patch in a development phase to get the expected result or consult a professional.

Always ask your Magento certified professional to carry out a security audit on a timely basis (say quarterly) as this will improve your store security especially if you have installed new extensions and made few changes to the site.

Fill the form below if you want to implement security patches or want to upgrade your Magento website.