Magento is one of the most trusted eCommerce platforms has faced a few security-related problems. That’s the reason why Magneto releases its new version and security patches on a regular interval to guard against unexpected vulnerabilities.
To enhance product security, performance and functionality, Magento recently released security patches including other updates for the new versions of Magento Commerce and Open Source:
There were various high CVSSv3 severity issues that affect the product Magento Open Source prior to 1.9.4.1 and Magneto Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1.
Below is the latest security update that is addressed to some high severity Magento vulnerabilities:
| CVSSv3 Severity | Security Bug | Description |
|---|---|---|
| 9.8 | Remote code execution though crafted newsletter and email templates | An administrator user with access to the Braintree payment method configuration can trigger remote code execution through PHP object injection. |
| 9.1 | Remote code execution via email template | An authenticated user has right to execute arbitrary code via email template. |
| 8.5 | An Unsafe deserialization of a PHP archive can lead to Arbitrary execution | An authenticated user can execute arbitrary code via Phar deserialization vulnerability. |
| 8.5 | The unsafe handling of an API call to a core bundled extension leads to Arbitrary code execution (Magento Shipping) | An authenticated user can configure store settings to execute arbitrary code execution through server-side request forgery. |
| 8.5 | To execute arbitrary code through PHP archive deserialization vulnerability, An authenticated user can configure email templates. | The upload settings for B2B quote files are open to remote code execution attacks. |
| 7.7 | Cross-site scripting and SQL injection vulnerability in catalog section (XSS) | An authenticated user will embed malicious code via a stored cross-site scripting or SQL injection vulnerability in the catalog section by changing attribute_code. |
| 7.2 | SQL injection vulnerability can come through an authenticated user | An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage. |
| 6.5 | SQL injection happens because of inadequate validation of user input. | To execute arbitrary SQL queries, An authenticated user can configure email templates. |
| 6.5 | Admin Customer Segments area has cross-site scripting. | An authenticated user will embed malicious code via a stored cross-site scripting or SQL injection vulnerability in the catalog section by changing attribute_code. |
| 6.3 | Reflected cross-site scripting vulnerability in the Admin via the requisition list ID | To embed malicious code, an authenticated user can use a cross-site scripting vulnerability |
| 5.8 | Stored cross-site scripting in the admin panel through the Admin Shopping Cart Rules page | An authenticated user can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page. |
| 5.8 | Cross-site request forgery can delete product attribute. | An attacker can delete a product attribute within the context of authenticated administrator’s session through cross-site request forgery. |
| 5.8 | Stored cross-site scripting in the admin panel through the Admin Shopping Cart Rules page | An authenticated user can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page. |
| 5.7 | Cross-site request forgery vulnerability can lead to deletion of synonym groups. | An attacker can delete all synonyms groups within the context of an authenticated administrator’s session through cross-site request forgery. |
To ensure the best security and performance, Magento has highly recommended deploying these new releases right away. You should implement and test the patch in a development phase to get the expected result or consult a professional.
Always ask your Magento certified professional to carry out a security audit on a timely basis (say quarterly) as this will improve your store security especially if you have installed new extensions and made few changes to the site.
Fill the form below if you want to implement security patches or want to upgrade your Magento website.
UK: +44 2081232989
USA : +1 7077366533
AUS : +61 390185455
(We Operate Globally)