MAGENTO SECURITY PATCH SUPEE-11155 RELEASED

Magento Inc. announces new patch to eliminate a number of acute errors and vulnerabilities in cross-site operations. SUPEE-11155 to stand guard over your Magento store.

Supee Patch 11155 for Magento

Magento has always kept a sharp eye on security and performance issues of the platform. The team guarantees safest environment for any ecommerce business with far-reaching ambitions. A  timely and powerful security patch SUPEE-11155 proves the best of Magento maintenance services. The patch contains multiple security enhancements which help close remote code execution, cross-site scripting, cross-site request forgery and other vulnerabilities.

Opt today for one of the following with regard to your Magento version, and ensure steadfast performance of the store:

Magento Commerce
1.9.0.0
1.14.4.1
Install SUPEE-11155 or upgrade to Magento Commerce 1.14.4.2
Magento Open Source
1.5.0.0
1.9.4.1
Install SUPEE-11155 or upgrade to Magento Open Source 1.9.4.2

List of high CVSSv3 severity issues addressed by the present security patch:

  • Arbitrary code execution in the advanced admin logging configuration – CVE-2019-7893 
    A user with administrator privileges and access to the advanced admin logging configuration can trigger remote code execution via PHP Object Injection.
  • Arbitrary code execution by importing malicious dataflow profiles – CVE-2019-7884
    An authenticated user with privileges to edit block permission, import dataflow functionality, and modify CMS content can execute arbitrary code by importing malicious dataflow profiles.
  • Arbitrary code execution via crafted sitemap creation – CVE-2019-7932
    An authenticated user with admin privileges to create sitemaps can execute arbitrary code by crafted filenames that include php extension within the XML filename.
  • PHP Object Injection in the Currency setup feature can lead to arbitrary code execution – CVE-2019-7914
    A PHP Object Injection vulnerability in the currency setup feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.
  • PHP Object Injection in the Admin Actions Logging feature can lead to arbitrary code execution – CVE-2019-7946
    A PHP Object Injection vulnerability in the admin actions logging configuration feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.
  • PHP Object Injection in the Model Design Package can lead to arbitrary code execution – CVE-2019-7906
    A PHP Object Injection vulnerability in the model design package can be exploited by an authenticated user with administrator privileges to execute arbitrate code.
  • PHP Object Injection in the Enterprise Logging feature can lead to arbitrary code execution – CVE-2019-7905
    A PHP Object Injection vulnerability in the enterprise logging configuration feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.
  • Remote code execution via dataflow import and catalog functionality – CVE-2019-7952
    An authenticated user with admin privileges can execute arbitrary code via layout upates when using crafted combination of data flow import and catalog categories.
  • Arbitrary code execution due to unsafe handling of system configuration – CVE-2019-7911
    An authenticated user with admin privileges to manipulate system configuration can execute arbitrary code through server-side request forgery.
  • Arbitrary code execution due to unsafe handling of payment bridge gateway – CVE-2019-7910An authenticated user with admin privileges to manipulate payment methods can execute arbitrary code through server-side request forgery.
  • Arbitrary code execution due to unsafe deserialization of configuration fields – CVE-2019-7907
    An authenticated user with configuration privileges can execute arbitrary code due to unserialization of user controlled configuration values.
  • Stored cross-site scripting in admin panel – CVE-2019-7909
    A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.
  • Stored cross-site scripting in the admin panel – CVE-2019-7875
    A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.
  • Stored cross-site scripting in the admin panel – CVE-2019-7933
    A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.

Source: Magento


Assitance with security patch

No Comments

Leave a Comment

Please be polite. We appreciate that.
Your email address will not be published and required fields are marked