S

SUPEE-10266

SUPEE-10266 patch contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.

The patch can be downloaded from https://magento.com/tech-resources/download#download2073

APPSEC-1838: RSS session admin cookie can be used to gain Magento administrator privileges.
Type: Privilege Escalation
CVSSv3 Severity: 8.2 (High)
Known Attacks: None
Description: An attacker can use a low privilege RSS session cookie to escalate privileges and gain access to the Magento Admin Portal.
Product(s) Affected: Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6
Fixed In: Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266
Reporter: gwillem
APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts
Type: Remote Code Execution (RCE)
CVSSv3 Severity: 8.2 (High)
Known Attacks: None
Description: A Magento administrator with limited privileges can introduce malicious code when creating a new CMS Page, which could result in arbitrary remote code execution.
Product(s) Affected: Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In: Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter: dhln
APPSEC-1835: Exposure of Magento secret key from app/etc/local.xml
Type: Information Leak (system)
CVSSv3 Severity: 8.2 (High)
Known Attacks: None
Description: An administrator with limited privileges can create content that references and exposes sensitive Magento installation information that could be leveraged in further exploitation.
Product(s) Affected: Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6
Fixed In: Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266
Reporter: Jeroen Boersma
APPSEC-1757: Directory traversal in template configuration
Type: Information Leak (system)
CVSSv3 Severity: 6.1 (Medium)
Known Attacks: None
Description: An administrator with limited privileges can force Magento store notifications to include internal system files.
Product(s) Affected: Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6
Fixed In: Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266
Reporter: Nashcontrol
APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group)
Type: CSRF, XSS (stored)
CVSSv3 Severity: 6.0 (Medium)
Known Attacks: None
Description: A Magento administrator with limited privileges can exploit a vulnerability in the customer group to create a URL that can be used as part of CSRF attack.
Product(s) Affected: Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In: Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter: Boskostan
APPSEC-1494: AdminNotification Stored XSS
Type: Cross-Site Scripting (XSS, stored)
CVSSv3 Severity: 5.9 (Medium)
Known Attacks: None
Description: An attacker with the ability to launch a Man-in-the-middle attack on a network connection could inject code on the Magento Admin RSS feed.
Product(s) Affected: Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In: Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter: lleber
APPSEC-1793: Potential file uploads solely protected by .htaccess
Type: Remote Code Execution (RCE)
CVSSv3 Severity: 5.8 (Medium)
Known Attacks: None
Description: An attacker can target non-Apache installations (for example, Nginx) to upload executable scripts that can be used to stage additional exploitations.
Product(s) Affected: Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In: Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter: Internal
APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template
Type: CSRF, XSS (stored)
CVSSv3 Severity: 5.5 (Medium)
Known Attacks: None
Description: A Magento administrator with limited privileges can exploit a vulnerability in the newsletter template to create a URL that can be used as part of a CSRF attack.
Product(s) Affected: Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In: Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter: Boskostan
APPSEC-1729: XSS in admin order view using order status label in Magento
Type: Cross-Site Scripting (XSS, stored)
CVSSv3 Severity: 5.5 (Medium)
Known Attacks: None
Description: An administrator can inject code in sales order records, which can result in an XSS attack on anyone that views the page.
Product(s) Affected: Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In: Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter: fabian
APPSEC-1579: Customer Segment Delete Action uses GET instead of POST request
Type: Cross-Site Request Forgery (CSRF)
CVSSv3 Severity: 5.1 (Medium)
Known Attacks: None
Description: A Magento administrator can perform malicious actions through an inadequate security check of the form key in the customer segment page.
Product(s) Affected: Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In: Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter: Internal
APPSEC-1588: Order Item Custom Option Disclosure
Type: Information Leak (order)
CVSSv3 Severity: 4.9 (Medium)
Known Attacks: None
Description: An attacker can craft a URL request on a Magento site during checkout and retrieve information about past orders.
Product(s) Affected: Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In: Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter: Peter O’Callaghan
APPSEC-1599: Admin login does not handle autocomplete feature correctly
Type: Information Leak (system)
CVSSv3 Severity: 4.1 (Medium)
Known Attacks: None
Description: Several fields in the Admin panel do not correctly handle autocomplete, which could result in a potential information leak when a browser tries to autocomplete the field.
Product(s) Affected: Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In: Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter: Internal
APPSEC-1688: Secure cookie check to prevent MITM not expiring user sessions
Type: Insufficient Session Expiration
CVSSv3 Severity: 3.8 (Low)
Known Attacks: None
Description: Magento does not properly validate session cookies, or cause them to expire, which potentially permits visitors to use expired cookies to interact with a store.
Product(s) Affected: Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6
Fixed In: Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266
Reporter: jay-d

 

SUPEE-10266
0 votes, 0.00 avg. rating (0% score)