Rave Digital
eCommerce implementations (Magento) and Digital Strategy, CMS (Wordpress), Salesforce, Mobile Apps, Creative Services Right Arrow
AheadWorks
Leading Provider of Magento Extensions
Hosted and managed eCommerce based on Magento Open Source Right Arrow
Toggle Nav
My Cart
My Cart
Menu
Filters

MAGENTO SECURITY PATCH SUPEE-11155 RELEASED

Categorized as : Security Patches

Magento Inc. announces new patch to eliminate a number of acute errors and vulnerabilities in cross-site operations. SUPEE-11155 to stand guard over your Magento store.


Supee Patch 11155 for Magento

Magento has always kept a sharp eye on security and performance issues of the platform. The team guarantees safest environment for any ecommerce business with far-reaching ambitions. A  timely and powerful security patch SUPEE-11155 proves the best of Magento maintenance services. The patch contains multiple security enhancements which help close remote code execution, cross-site scripting, cross-site request forgery and other vulnerabilities.

Opt today for one of the following with regard to your Magento version, and ensure steadfast performance of the store:











Magento Commerce
1.9.0.0
-
1.14.4.1
 Install SUPEE-11155 or upgrade to Magento Commerce 1.14.4.2
Magento Open Source
1.5.0.0
-
1.9.4.1
 Install SUPEE-11155 or upgrade to Magento Open Source 1.9.4.2

List of high CVSSv3 severity issues addressed by the present security patch:



  • Arbitrary code execution in the advanced admin logging configuration – CVE-2019-7893 
     A user with administrator privileges and access to the advanced admin logging configuration can trigger remote code execution via PHP Object Injection.

  • Arbitrary code execution by importing malicious dataflow profiles – CVE-2019-7884
    An authenticated user with privileges to edit block permission, import dataflow functionality, and modify CMS content can execute arbitrary code by importing malicious dataflow profiles.

  • Arbitrary code execution via crafted sitemap creation – CVE-2019-7932
    An authenticated user with admin privileges to create sitemaps can execute arbitrary code by crafted filenames that include php extension within the XML filename.

  • PHP Object Injection in the Currency setup feature can lead to arbitrary code execution – CVE-2019-7914
    A PHP Object Injection vulnerability in the currency setup feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.

  • PHP Object Injection in the Admin Actions Logging feature can lead to arbitrary code execution – CVE-2019-7946
    A PHP Object Injection vulnerability in the admin actions logging configuration feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.

  • PHP Object Injection in the Model Design Package can lead to arbitrary code execution – CVE-2019-7906
    A PHP Object Injection vulnerability in the model design package can be exploited by an authenticated user with administrator privileges to execute arbitrate code.

  • PHP Object Injection in the Enterprise Logging feature can lead to arbitrary code execution – CVE-2019-7905
    A PHP Object Injection vulnerability in the enterprise logging configuration feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.

  • Remote code execution via dataflow import and catalog functionality – CVE-2019-7952
    An authenticated user with admin privileges can execute arbitrary code via layout upates when using crafted combination of data flow import and catalog categories.

  • Arbitrary code execution due to unsafe handling of system configuration – CVE-2019-7911
    An authenticated user with admin privileges to manipulate system configuration can execute arbitrary code through server-side request forgery.

  • Arbitrary code execution due to unsafe handling of payment bridge gateway – CVE-2019-7910An authenticated user with admin privileges to manipulate payment methods can execute arbitrary code through server-side request forgery.

  • Arbitrary code execution due to unsafe deserialization of configuration fields – CVE-2019-7907
    An authenticated user with configuration privileges can execute arbitrary code due to unserialization of user controlled configuration values.

  • Stored cross-site scripting in admin panel – CVE-2019-7909
    A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

  • Stored cross-site scripting in the admin panel – CVE-2019-7875
    A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

  • Stored cross-site scripting in the admin panel – CVE-2019-7933
    A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.


Source: Magento



Assitance with security patch
Tagged as Version Updates

Share

  • Share