займ на картукредит онлайн

Magento News Posts

MAGENTO SECURITY PATCH SUPEE-11155 RELEASED

Magento Inc. announces new patch to eliminate a number of acute errors and vulnerabilities in cross-site operations. SUPEE-11155 to stand guard over your Magento store.

Supee Patch 11155 for Magento

Magento has always kept a sharp eye on security and performance issues of the platform. The team guarantees safest environment for any ecommerce business with far-reaching ambitions. A  timely and powerful security patch SUPEE-11155 proves the best of Magento maintenance services. The patch contains multiple security enhancements which help close remote code execution, cross-site scripting, cross-site request forgery and other vulnerabilities.

Opt today for one of the following with regard to your Magento version, and ensure steadfast performance of the store:

Magento Commerce
1.9.0.0
1.14.4.1
Install SUPEE-11155 or upgrade to Magento Commerce 1.14.4.2
Magento Open Source
1.5.0.0
1.9.4.1
Install SUPEE-11155 or upgrade to Magento Open Source 1.9.4.2

List of high CVSSv3 severity issues addressed by the present security patch:

MAGENTO SECURITY PATCH SUPEE-11086 RELEASED

SUPEE-11086, Magento Commerce 1.14.4.1 and Open Source 1.9.4.1 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.4.0: SUPEE-11086 or upgrade to Magento Commerce 1.14.4.1.
  • Magento Open Source 1.5.0.0-1.9.4.0: SUPEE-11086 or upgrade to Magento Open Source 1.9.4.1.

List of High CVSSv3 Severity Issues Addressed by this Security Patch

    • SQL Injection vulnerability through an unauthenticated user:
      An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.
    • Remote code execution via server side request forgery:
      An authenticated user with administrative privileges to store configuration can execute arbitrary code via server side request forgery (SSRF) issued to Redis. SSRF is are facilitated through crafted gateway XML URL configuration.
    • Arbitrary code execution due to unsafe handling of a malicious product attribute configuration
      An authenticated user with privileges to configure products can execute arbitrary PHP code.
    • Arbitrary code execution due to unsafe deserialization of a PHP archive
      An authenticated user with administrative privileges can execute arbitrary code through a Phar deserialization vulnerability.
    • Arbitrary code execution due to unsafe handling of a malicious layout update
      An authenticated user with privileges to the dataflow importer and catalog categories can execute arbitrary PHP code.
    • Remote code execution through PHP code that can be uploaded to the ngnix server due to crafted customer store attributes
      An authenticated user with privileges to modify a customer’s store attributes can execute arbitrary code when allowed to upload PHP input files to the ngnix server.
    • Remote code execution through arbitrary XML data sent through a layout table:
      An authenticated user with administrative privileges to modify layouts can execute arbitrary code by injecting arbitrary XML data into a layout table.
    • Arbitrary code execution through bypass of PHP file upload restriction:
      An authenticated user with privileges to system configuration files can bypass file upload restrictions and allow arbitrary upload and execution of arbitrary PHP code.
    • Arbitary code execution due to bypass of layout validator:
      An authenticated user with privileges can bypass the layout validator and execute arbitrary code through layout updates in the Admin.

&nbps;

Consult our certified Magento developers, if you want to implment this security patch or have any questions regarding the Magento security SUPEE-11086 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-10975 RELEASED

SUPEE-10975, Magento Commerce 1.14.4.0 and Open Source 1.9.4.0 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.4.0: SUPEE-10975 or upgrade to Magento Commerce 1.14.4.0.
  • Magento Open Source 1.5.0.0-1.9.4.0: SUPEE-10975 or upgrade to Magento Open Source 1.9.4.0.

There were several high CVSSv3 Severity issues found which affected the products Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7. Below are the few bugs:

Issue Type: Brute Force Login / Session Identifier

 

CVSSv3 Severity Security Bug Description
9.0 Stops Brute Force Requests via basic RSS authentication Attacker is able to brute force requests to the RSS nodes that require admin authentication. With this, attacker would be able to guess the admin password.

 

Issue Type: Compliance Requirement

 

9.0 M1 Credit Card Storage Capability Removes functionality enabling M1 customers to store credit card data in the database.

 

Issue Type: Remote Code Execution (RCE)

 

8.5 Authenticated RCE using customer import Restricts Admin users with access to edit product attributes from running customer imports while executing arbitrary code using a serialized string that have been set as validate_rules on an attribute.
8.5 API Based RCE Vulnerability By activating an API, including the ability to add products, it is possible to send base64-encoded content to an unauthorized file and with it, excute an RCE
8.5 RCE Via Unauthorized Upload Prevents a user from uploading unauthorized files while attaching videos
8.5 Authenticated RCE using dataflow Prevents Admin users with access to dataflow functionallity from executing arbitrary code using a specially crafted serialized string

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10975 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-10888 RELEASED

SUPEE-10888, Magento Commerce 1.14.3.10 and Open Source 1.9.3.10 contain multiple security enhancements that help close cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.10: SUPEE-10888 or upgrade to Magento Commerce 1.14.3.10.
  • Magento Open Source 1.5.0.0-1.9.3.10: SUPEE-10888 or upgrade to Magento Open Source 1.9.3.10.

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: XML injection

 

CVSSv3 Severity Security Bug Description
6.9 Authenticated Unauthorised Data Access Via Layout Injection An administrator with limited permissions might be able to obtain information outside of his permissions.

 

Issue Type: General: Cross Site Scripting (reflective)

 

6.1 Reflective XSS against Admin Panel Arbitrary JS can be triggered on the sales order grid page by manipulating one of the URL parameters.
6.1 Admin to Admin XSS in configurable custom attribute label Administrator with limited permissions might be able to use XSS attack on another administrator.

 

Issue Type: Privilege Escalation & Enumeration: Information Exposure

 

5.9 Overwrite all Reviews In specific configurations, it might be possible to overwrite reviews.
N/A Reset password URL includes the customer ID The reset password link for a customer account includes the customer ID. An attacker can use the customer ID to gain access to the customer account, despite the use of a token.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10888 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-10752 RELEASED

SUPEE-10752, Magento Commerce 1.14.3.9 and Open Source 1.9.3.9 contain multiple security enhancements that help close authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF) and other vulnerabilities.

NOTE: Conflicts during installation of the patch SUPEE-10752 are caused most often by having version 1 of the previous patch installed (SUPEE-10570v1). Please make sure to remove SUPEE-10570v1 and install SUPEE-10570v2 prior to installation of SUPEE-10752.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.9: SUPEE-10752 or upgrade to Magento Commerce 1.14.3.9.
  • Magento Open Source 1.5.0.0-1.9.3.9: SUPEE-10752 or upgrade to Magento Open Source 1.9.3.9.

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Remote Code Execution (RCE)

 

CVSSv3 Severity Security Bug Description
9.8 (Critical) Authenticated Remote Code Execution (RCE) using custom layout XML Admin users with permission to manage products can use custom layout XML to copy any file to any location.
9.8 (Critical) Authenticated Remote Code Execution (RCE) through the Create New Order feature (Commerce only) Users with permission to generate sales orders from the Admin panel can use gift card functionality to manipulate request data and inject a malicious string that is later unserialized.
8.9 (High) PHP Object Injection and RCE in the Magento admin panel (Commerce Target Rule module) An administrator user with access to the Enterprise Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution.
8.9 (High) PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce) An administrator user with access to the Commerce Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution.

 

Issue Type: SQL Injection (SQLi)

 

8.2 (High) Authenticated SQL Injection when saving a category Arbitrary JS can be triggered on the sales order grid page by manipulating one of the URL parameters.
8.2(High) Admin to Admin XSS in configurable custom attribute label By manipulating request data when saving a category, a user can insert a malicious string into the database that can be used in a subsequent request to perform SQL injection. This injected code can be used to trigger arbitrary (with the proviso they fit in the 255 char field) insert and update commands.

 

Issue Type: Cross Site Request Forgery (CSRF)

 

7.4 (High) CSRF is possible against Web sites, Stores, and Store Views Multiple CSRF vulnerabilities allow for deleting websites, stores or store views.

 

Issue Type: Security Implementation Flaw

 

7.4 (High) The cron.php file can leak database credentials The cron.php file can leak database credentials if it is not able to establish a connection to the database.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10752 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-10570 RELEASED

SUPEE-10570, Magento Commerce 1.14.3.8 and Open Source 1.9.3.8 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS, and other issues. These releases also include small functional fixes listed in the release notes.

NOTE: Magento was recently informed about an issue with both patch SUPEE-10570 and Magento versions 1.9.3.8/1.14.3.8 that could result in the inability of customers to complete checkout when trying to register during checkout. Magento is now providing an updated patch (SUPEE-10570v2) that no longer causes this issue.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.7: SUPEE-10570 or upgrade to Magento Commerce 1.14.3.8
  • Magento Open Source 1.5.0.0-1.9.3.7: SUPEE-10570 or upgrade to Magento Open Source 1.9.3.8

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Remote Code Execution (RCE)

 

CVSSv3 Severity Security Bug Description
9.8 (High) Remote Code Execution Using XML Injection An administrator with limited privileges can insert injectable XML into the layout table, which can create an opportunity for remote code execution.
9.8 (Critical) Remote Code Execution – additional fix not included in SUPEE-9652 A user can insert information in a return path, thereby storing information on the file system that could lead to Remote Code Execution (RCE).
8.9 (High) Remote Code Execution by (semi-)arbitrary file deletion for admin users with access to Import. An administrator with Import permissions can import an XML file that could potentially provide an opportunity for Remote Code Execution (RCE).
7.2 (High) Remote Code Execution in Staging Environment An administrator with limited privileges can inject a malformed configuration bypass, which could potentially lead to a file redirection that could be leveraged for arbitrary remote code execution.

 

Issue Type: Cross-Site Request Forgery (CSRF)

 

6.4 (Medium) Cross-Site Request Forgery in Store Backups An administrator can be tricked into performing a system backup by an attacker who has crafted a targeted Cross-Site Request forgery (CSRF) attack.

 

Issue Type: Cross-site Scripting (XSS) – stored

 

5.0(Medium) Cross-site Scripting in CMS hierarchy An administrator with limited privileges can insert script into the CMS hierarchy, which could potentially result in a stored cross-site scripting that affects other administrators.
5.0(Medium) Cross-site Scripting in Custom Variables An administrator with limited privileges can insert script in the custom variables name field, which could potentially result in stored cross-site scripting that affects other administrators.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10570 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-10415 RELEASED

SUPEE-10415, Magento Commerce 1.14.3.7 and Open Source 1.9.3.7 contain multiple security enhancements that help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities. These releases also include a fix for a prior customers that had experienced issues patching caused by SOAP v1 interactions in WSDL.

NOTE: Magento was recently informed about an issue with both patch SUPEE-10570 and Magento versions 1.9.3.8/1.14.3.8 that could result in the inability of customers to complete checkout when trying to register during checkout. Magento is now providing an updated patch (SUPEE-10570v2) that no longer causes this issue.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.7: SUPEE-10415 or upgrade to Magento Commerce 1.14.3.7.
  • Magento Open Source 1.5.0.0-1.9.3.7: SUPEE-10415 or upgrade to Magento Open Source 1.9.3.7.

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Denial-of-Service (DOS)

 

CVSSv3 Severity Security Bug Description
6.7 (Medium) Unsanitized input leading to denial of service A site visitor can create an account where one of the parameters will create a server denial-of-service.

 

Issue Type: Cross-Site Scripting (XSS, stored)

 

6.6 (Medium) Stored XSS in Product Name field An administrator with limited privileges can insert script in the product name field, potentially resulting in a stored cross-site scripting that affects other administrators.
6.1 (Medium) Stored XSS in Visual Merchandiser An administrator with limited privileges can create a stored-cross site scripting attack in the Visual Merchaniser system.

 

Issue Type: Remote Code Execution (RCE)

 

5.0(Medium) Cross-site Scripting in CMS hierarchy An administrator with limited privileges can insert script into the CMS hierarchy, which could potentially result in a stored cross-site scripting that affects other administrators.
8.2 (High) Remote Code Execution by leveraging unsafe unserialization An administrator with limited privileges can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10415 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-10266 RELEASED

SUPEE-10266, Magento Commerce 1.14.3.6 and Open Source 1.9.3.6 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.4: SUPEE-10266 or upgrade to Magento Commerce 1.14.3.6
  • Magento Open Source 1.5.0.0-1.9.3.4: SUPEE-10266 or upgrade to Magento Open Source 1.9.3.6

Note: SUPEE-10266 for Magento Commerce (Enterprise Edition) includes a fix for a functional issues MPERF-9685, related to checkout with a zero order amount. This fix is not included in release 1.14.3.6. However, in some cases, SUPEE-10266 can cause issues in the checkout process. Specifically, if a customer enables the Add gift options checkbox during checkout, the checkout process will not progress beyond the payments step. Magento released a fix for this issue as a new patch SUPEE-10348, that needs to be installed on top of SUPEE-10266.

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Privilege Escalation

 

CVSSv3 Severity Security Bug Description
6.7 (Medium) RSS session admin cookie can be used to gain Magento administrator privileges. An attacker can use a low privilege RSS session cookie to escalate privileges and gain access to the Magento Admin Portal.

 

Issue Type: Remote Code Execution (RCE)

 

8.2 (High) Remote Code Execution vulnerability in CMS and layouts A Magento administrator with limited privileges can introduce malicious code when creating a new CMS Page, which could result in arbitrary remote code execution.
5.8 (Medium) Potential file uploads solely protected by .htaccess An attacker can target non-Apache installations (for example, Nginx) to upload executable scripts that can be used to stage additional exploitations.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10266 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-9767 RELEASED

SUPEE-9767, Enterprise Edition 1.14.3.3 and Community Edition 1.9.3.3 address several security issues.

KNOWN ISSUES:
Magento received reports that customer registration after checkout might fail if the option to ‘Enable Form Key Validation On Checkout’ is enabled. This results in customers not being registered but checking out as guests. Magento is working on updated version of the patch. As a workaround, disabling the ‘Enable Form Key Validation On Checkout’ option will revert the incorrect behavior.

Patches and upgrades are available for the following Magento versions:

  • Enterprise Edition 1.9.0.0-1.14.3.2: SUPEE-9767 or upgrade to Enterprise Edition 1.14.3.3
  • Community Edition 1.5.0.1-1.9.3.2: SUPEE-9767 or upgrade to Community Edition 1.9.3.3

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Remote Code Execution (RCE)

 

CVSSv3 Severity Security Bug Description
8.8 (High) Remote Code Execution if the configuration setting allowing symlinks is enabled. Use of the AllowSymlinks option in configuration settings can enable the upload of an image that contains malicious code. Although this option is disabled by default, an attacker with access to store configuration settings can enable it and remotely execute code.
8.8 (High) Remote Code Execution in DataFlow Magento administrators with access to DataFlow functionality can use it to upload and execute arbitrary code.
8.8 (High) CSRF after logout – form key not invalidated Magento does not invalidate form keys on logout, which potentially allows an attacker to execute commands as administrator after the admin logs out.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-9767 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-9652 RELEASED

SUPEE-9652, Enterprise Edition 1.14.3.2 and Community Edition 1.9.3.2 address the Zend library vulnerability described below.

Patches and upgrades are available for the following Magento versions:

  • Enterprise Edition 1.9.0.0-1.14.3.1: SUPEE-9652 or upgrade to Enterprise Edition 1.14.3.2
  • Community Edition 1.5.0.1-1.9.3.1: SUPEE-9652 or upgrade to Community Edition 1.9.3.2

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Remote Code Execution (RCE)

 

CVSSv3 Severity Security Bug Description
9.8 (Critical) Remote Code Execution using mail vulnerability Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1. While the issue is not reproducible in Magento 2, the library code is the same so it was fixed as well. Note: while the vulnerability is scored as critical, few systems are affected. To be affected by the vulnerability the installation has to:
– use sendmail as the mail transport agent
– have specific, non-default configuration settings

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-9652 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-8788 RELEASED

SUPEE-8788, Enterprise Edition 1.14.3 and Community Edition 1.9.3 address Zend framework and payment vulnerabilities, ensure sessions are invalidated after a user logs out, and make several other security enhancements that are detailed below.

Patches and upgrades are available for the following Magento versions:

  • Enterprise Edition 1.9.0.0-1.14.2.4: SUPEE-8788 or upgrade to Enterprise Edition 1.14.3
  • Community Edition 1.5.0.1-1.9.2.4: SUPEE-8788 or upgrade to Community Edition 1.9.3

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Remote Code Execution (RCE)

 

CVSSv3 Severity Security Bug Description
9.8 (Critical) Remote Code Execution in checkout With some payment methods it might be possible to execute malicious PHP code during checkout.

Issue Type: SQL Injection/Improper validation

 

CVSSv3 Severity Security Bug Description
9.1 (Critical) SQL injection in Zend Framework A bug in Zend Framework value escaping allows a malicious user to inject SQL through the ordering or grouping parameters. While there are no known frontend entry point vulnerabilities that would allow for a full SQL injection, we’ve found an entry point in the Magento Admin panel, and other entry points most likely exist.

Issue Type: Cross-Site Scripting (XSS) – Stored

 

CVSSv3 Severity Security Bug Description
8.2 (High) Stored XSS in invitations It is possible to use the Magento Enterprise Edition invitations feature to insert malicious JavaScript that might be executed in the admin context.

Issue Type: Information Leakage

 

CVSSv3 Severity Security Bug Description
7.7 (High) Stored XSS in invitations With access to any CMS functionality, an attacker with administrator permissions can use blocks to exfiltrate information stored in cache. This sensitive information includes store configuration, encryption key, and database connection details. Additionally, it might be possible to execute code.

Issue Type: Insufficient data protection

 

CVSSv3 Severity Security Bug Description
7.5 (High) Log in as another customer In certain configurations, it is possible to log in as existing store customer while knowing only his email address, not his password.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-8788 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-7405 RELEASED

The updates add support for PHP 5.3 and address issues with upload file permissions, merging carts, and SOAP APIs experienced with the original release. They DO NOT address any new security issues.

Magento highly recommends that all users either install the SUPEE-7405 v1.1 patch bundle, or upgrade to Magento Enterprise Edition 1.14.2.4 or Magento Community Edition 1.9.2.4.

You must install the SUPEE-7405 v 1.0 patch before installing the SUPEE-7405 v 1.1 patch bundle if you are running a version of Magento Enterprise Edition prior to 1.14.2.3 or Magento Community Edition prior to 1.9.2.3.

You do not need to install the SUPEE-7405 v 1.0 patch if you are running Magento Enterprise Edition 1.14.2.3, Magento Community Edition 1.9.2.3, or have previously installed the SUPEE-7405 v 1.0 patch on an earlier version of Magento Community Edition.

The SUPEE-7405 v 1.1 patch bundle includes the following:

Cart Merge Patch (SUPEE-7978)

Carts with identical items now merge correctly. Previously, when a cart with one item was merged with another cart that contained the same item, Magento did not merge the cart totals correctly. The cart now includes only one item, and the total is correct.

SOAP API Patch (SUPEE-7822)

The Magento SOAP API now works as expected. Previously after installing the SUPEE-7405 v1.0 patch, an API request would cause a 500 error, and Magento would log an exception.

PHP 5.3 Compatibility (SUPEE-7882)

The patch was not compatible with PHP 5.3 for earlier versions of Magento that were still supporting this version. Merchants experiencing this issue were unable to view sales information in the Admin.

Upload File Permissions

The patch restores less restrictive file permissions (0666 for files and 0777 for directories) as more strict permissions introduced by the original SUPEE-7405 patch caused many merchants not to be able to view uploaded product images, depending on hosting provider configuration.

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Cross-site Scripting (XSS) – Stored

 

CVSSv3 Severity Security Bug Description
9.3 (Critical) Stored XSS via email address During customer registration on the storefront, a user can provide an email address that contains JavaScript code. Magento does not properly validate this email and executes it in Admin context when viewing the order in the backend. This JavaScript code can steal an administrator session or act on behalf of a store administrator.
9.3 (Critical) Stored XSS in Order Comments A user can append comments to an order using a specially crafted request that relies upon the PayFlow Pro payment module. Magento does not filter the request properly, which potentially results in JavaScript code being saved in database (see issue APPSEC-1240) and then executed server-side when the administrator tries to view the order. This attack can lead to a takeover of the administrator session or executing actions on behalf of administrator.
7.5 (High) Stored XSS in Order In certain configurations, Magento uses the HTTP_X_FORWARDED_FOR header as the customer IP address and displays it without sanitization in the Admin Panel. An attacker can use this header to inject JavaScript code into Order View forms in Admin Panel. The code is then executed when a user visits an Order View form, allowing the take over of an administrator session or for an unauthorized user to execute actions on behalf of an administrator. Note that we do not recommend using this header configuration setting.

Issue Type: Information Leakage

 

CVSSv3 Severity Security Bug Description
7.5 (High) Guest order view protection code vulnerable to brute-force attack The guest order view protection code makes it possible to access guest order information for some orders. (This is due to how the code is generated and compared with stored values.) While the attack cannot target a specific order or allow a user to view all orders, it can be used to extract order information from store.
7.5 (High) Information Disclosure in RSS feed You can download order comments and other order-related information by providing special parameters to the RSS feed request. This information, depending on contents of the order comments, can disclose private information or be used to access customer account or other customer information.

Issue Type: Cross-site Request Forgery (CSRF)

 

CVSSv3 Severity Security Bug Description
7.4 (High) CSRF token not validated on backend login page The lack of form protection on the Admin Login page enables potential request forgery attacks. These forgery attacks require the administrator to be tricked into clicking on a link by phishing or by link hiding.
7.5 (High) Information Disclosure in RSS feed You can download order comments and other order-related information by providing special parameters to the RSS feed request. This information, depending on contents of the order comments, can disclose private information or be used to access customer account or other customer information.

Source: Magento

It is highly recommended by Magento to deploy these new security patches right away, to ensure optimal security and performance.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-7405 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-6788 RELEASED

SUPEE-6788 is a bundle of patches that resolve several security-related issues.

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Information Leakage (Internal)

 

CVSSv3 Severity Security Bug Description
7.5 (High) Error Reporting in Setup Exposes Configuration Error messages generated during the Magento installation, or during a failed extension installation, can expose the Magento configuration and database access credentials. In most cases, the database server is configured to prevent external connections. In other cases, the information can be exploited, or tied to another attack.
9.3 (Critical) Filter Directives Can Allow Access to Protected Data Email template filter functionality can be used to call blocks exposing customer information like last orders or integration passwords. While this functionality is used internally in Magento safely, we were informed about external extensions that use it to process user input like blog comments. This allows to access protected information from store front.

Issue Type: XXE/XEE (XML Injection)

 

CVSSv3 Severity Security Bug Description
7.5 (High) XXE/XEE attack on Zend XML functionality using multibyte payloads Magento can be forced to read XML via API calls containing ENTITY references to local files, possibly reading password or configuration files. While Zend Framework filters out ENTITY references, they can be encoded as multi-byte characters to avoid detection.

Issue Type: SQL Injection

 

CVSSv3 Severity Security Bug Description
7.4 (High) Potential SQL Injection in Magento Core Model Based Classes addFieldtoFilter method does not escape field name. Although core Magento functionality is not affected, this issue might impact third-party extensions such as layered navigation extensions. Such extensions might be exploited from the storefront to execute any SQL queries.

Issue Type: Remote Code Execution (RCE)

 

CVSSv3 Severity Security Bug Description
7.4 (High) Potential remote code execution using Cron Cron.php script is available for anyone to call and itself calls command line functions. It makes is a possible target for the Shellshock vulnerability (which should be fixed on the server). Additionally, the command passed to shell is not escaped, which in case of a directory named as a shell command can result in code execution – such attack requires however additional access to create directories with arbitrary names, like hosting panel. While scored as high, the attack is not exploitable by itself.
6.5 (Medium) Remote Code Execution/Information Leak Using File Custom Option Custom option values are not cleared when the custom option type is switched. This makes it possible to inject malicious serialized code into a custom option of the “text” type, and execute it by switching the custom option type to “file.”To exploit this remote code execution attack the store has to use custom options and a store administration account with access to catalog/products.

Issue Type: Cross-site Scripting (XSS) – reflected, Cross-site Request Forgery (CSRF)

 

CVSSv3 Severity Security Bug Description
8.2 (High) Cross site scripting with error messages/CSRF/Session fixation Error messages on store front pages are not escaped correctly, enabling self XSS issue. This issue, together with lack of CSRF protection on create account form can result in session fixation.
9.3 (Critical) Cross-site Scripting/Cache Poisoning Unvalidated host header leaks into response and page. Because the page can be cached, this leak poses a risk for all store customers because any HTML or JavaScript code can be injected. Such an exploit works only with specific server configurations, and allows an attacker to intercept a session or modify a page with fake credit card forms, etc.

Source: Magento

It is highly recommended by Magento to deploy these new security patches right away, to ensure optimal security and performance.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-6788 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-6482 RELEASED

SUPEE-6482 is a bundle of patches that resolve several security-related issues.

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Remote File Inclusion

 

CVSSv3 Severity Security Bug Description
5.3 (Medium) Error Reporting in Setup Exposes Configuration Incorrect encoding of API password can lead to probing internal network resources or remote file inclusion.

Issue Type: Remote Code Execution (RCE)

 

CVSSv3 Severity Security Bug Description
6.5 (Medium) Autoloaded File Inclusion in Magento SOAP API Incorrect validation of a SOAP API request makes it possible to autoload code. The exploit requires the attacker to first log in with API credentials. Depending on the PHP version and/or configuration settings, code can then be loaded from a remote location.

Issue Type: Cross-site Scripting (XSS) – Stored / Cache Poisoning

 

CVSSv3 Severity Security Bug Description
9.3 (Critical) Cross site scripting with error messages/CSRF/Session fixation Unvalidated host header leaks into response and page. Because the page can be cached, this leak poses a risk for all store customers because any HTML or JavaScript code can be injected. Such an exploit works only with specific server configurations, and allows an attacker to intercept a session or modify a page with fake credit card forms, etc.
9.3 (Critical) Cross-site Scripting in Gift Registry Search Cross-site scripting vulnerability affects registered users. Attack through unescaped search parameter. Risk of cookie theft and impersonating as the user.

Source: Magento

It is highly recommended by Magento to deploy these new security patches right away, to ensure optimal security and performance.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-6482 patch, please contact our support team.

MAGENTO SECURITY PATCH SUPEE-6285 RELEASED

SUPEE-6285 is a bundle of eight patches that resolves several security-related issues.

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Privilege Escalation / Insufficient Data Protection

 

CVSSv3 Severity Security Bug Description
7.5 (High) Customer Information Leak via RSS and Privilege Escalation Improper check for authorized URL leads to customer information leak (order information, order IDs, customer name). Leaked information simplifies attack on guest Order Review, which exposes customer email, shipping and billing address. In some areas, the same underlying issue can lead to privilege escalation for Admin accounts.

Issue Type: Cross-site Request Forgery

 

CVSSv3 Severity Security Bug Description
9.3 (Critical) Request Forgery in Magento Connect Leads to Code Execution Cross-site request forgery in Magento Connect Manager allows an attacker to execute actions such as the installation of a remote module that leads to the execution of remote code. The attack requires a Magento store administrator, while logged in to Magento Connect Manager, to click a link that was prepared by the attacker.

Issue Type: Cross-site Scripting (Other)

 

CVSSv3 Severity Security Bug Description
5.3 (Medium) Cross-site Scripting in Wishlist This vulnerability makes it possible to include an unescaped customer name when Wishlist are sent. By manipulating the customer name, an attacker can use the store to send spoofing or phishing emails.

Source: Magento

It is highly recommended by Magento to deploy these new security patches right away, to ensure optimal security and performance.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-6285 patch, please contact our support team.