S

SUPEE-10570

SUPEE-10570, released on February 27, 2018 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS, and other issues.

APPSEC-1932: Remote Code Execution Using XML Injection
Type: Remote Code Execution (RCE)
CVSSv3 Severity: 9.8 (High)
Known Attacks: None
Description: An administrator with limited privileges can insert injectable XML into the layout table, which can create an opportunity for remote code execution.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570
Reporter: Peter O’Callaghan
APPSEC-1938: Remote Code Execution – additional fix not included in SUPEE-9652
Type: Remote Code Execution (RCE)
CVSSv3 Severity: 9.8 (High)
Known Attacks: None
Description: A user can insert information in a return path, thereby storing information on the file system that could lead to Remote Code Execution (RCE).
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570
Reporter: Cipriano Groenendal
APPSEC-1964: Remote Code Execution by (semi-)arbitrary file deletion for admin users with access to Import.
Type: Remote Code Execution (RCE)
CVSSv3 Severity: 9.8 (High)
Known Attacks: None
Description: An administrator with Import permissions can import an XML file that could potentially provide an opportunity for Remote Code Execution (RCE).
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570
Reporter: Fabain
APPSEC-2000: Remote Code Execution in Staging Environment
Type: Remote Code Execution (RCE)
CVSSv3 Severity: 7.2 (High)
Known Attacks: None
Description: An administrator with limited privileges can inject a malformed configuration bypass, which could potentially lead to a file redirection that could be leveraged for arbitrary remote code execution.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570
Reporter: Peter O’Callaghan
APPSEC-1944: Cross-Site Request Forgery in Store Backups
Type: Cross-Site Request Forgery (CSRF)
CVSSv3 Severity: 6.4 (Medium)
Known Attacks: None
Description: An administrator can be tricked into performing a system backup by an attacker who has crafted a targeted Cross-Site Request forgery (CSRF) attack.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter: Boskostan
APPSEC-1878/1890: Cross-site Scripting in CMS hierarchy
Type: Cross-site Scripting (XSS) – stored
CVSSv3 Severity: 5.0 (Medium)
Known Attacks: None
Description: An administrator with limited privileges can insert script into the CMS hierarchy, which could potentially result in a stored cross-site scripting that affects other administrators.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.2 prior to 2.2.3
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.2.3
Reporter: Max Chadwick and Magecraze
APPSEC-1908/1948: Cross-site Scripting in Custom Variables
Type: Cross-site Scripting (XSS) – stored
CVSSv3 Severity: 5.0 (Medium)
Known Attacks: None
Description: An administrator with limited privileges can insert script in the custom variables name field, which could potentially result in stored cross-site scripting that affects other administrators.
Product(s) Affected: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Fixed In: Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Reporter: Magecraze
APPSEC-1916: Cross-site Scripting in Attribute Group Name
Type: Cross-site Scripting (XSS) – stored
CVSSv3 Severity: 5.0 (Medium)
Known Attacks: None
Description: An administrator with limited privileges can insert script in the attribute group name field, which could potentially result in stored cross-site scripting that affects other administrators.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter: Magecraze
APPSEC-1928: Cross-site Scripting in Downloadable Products
Type: Cross-site Scripting (XSS) – stored
CVSSv3 Severity: 5.0 (Medium)
Known Attacks: None
Description: An administrator with limited privileges can insert script in the downloadable product link title field, which could subsequently lead to a stored cross-site scripting attack.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter: Magecraze
APPSEC-1945: Cross-site Scripting in Product SKU
Type:
CVSSv3 Severity:
Known Attacks: None
Description: An administrator with limited privileges can insert script in the RMA SKU field, which could potentially result in a stored cross-site scripting attack.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter: Magecraze
APPSEC-1973: Cross-site Scripting in Newsletter Template
Type: Cross-site Scripting (XSS) – stored
CVSSv3 Severity: 5.0 (Medium)
Known Attacks: None
Description: An administrator with limited privileges can embed cross-site scripting elements in the Newsletter template, which could potentially lead to a stored cross-site scripting attack.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter: Peter O’Callaghan
APPSEC-1979/1980: Cross-site Scripting in Site Settings
Type: Cross-site Scripting (XSS) – stored
CVSSv3 Severity: 5.0 (Medium)
Known Attacks: None
Description: An administrator with limited privileges can embed cross-site scripting elements in the Website Name/Store View Name setting, which could potentially lead to a stored cross-site scripting attack.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter: Peter O’Callaghan
APPSEC-1995: Cross-site Scripting in Downloadable Products
Type: Cross-site Scripting (XSS) – stored
CVSSv3 Severity: 5.0 (Medium)
Known Attacks: None
Description: An administrator with limited privileges can insert arbitrary code into product fields, which could potentially lead to a stored cross-site scripting attack.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter: Boskostan
APPSEC-1889: Cross-Site Request Forgery Protection Bypass
Type: Cross-Site Request Forgery (CSRF)
CVSSv3 Severity: 4.9 (Medium)
Known Attacks: None
Description: An administrator with limited privileges can craft a cross-site request to perform requests on behalf of another administrator.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter: Fabain
APPSEC-1553: Access to Gift Registries of Other Users
Type: Insecure Direct Object Reference (IDOR)
CVSSv3 Severity: 4.8 (Medium)
Known Attacks: None
Description: A user can view gift registries that do not belong to them.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter: Peter O’Callaghan
APPSEC-1026: Session Management
Type: Session Management
CVSSv3 Severity: 3.9 (Low)
Known Attacks: None
Description: Active sessions persist after a password change.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570
Reporter: Vishnu_Vardhan_Reddy
APPSEC-1937: Insufficient privilege seperation
Type: Information Exposure
CVSSv3 Severity: 3.9 (Low)
Known Attacks: None
Description: Weak protection checking can potentially lead to privilege escalation or information disclosure.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter: Peter O’Callaghan
APPSEC-1967: Password Change Session Management
Type: Session Management
CVSSv3 Severity: 3.4 (Low)
Known Attacks: None
Description: Magento did not previously terminate existing sessions when the currently logged-in user changed his or her password.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter: Internal
APPSEC-1972: Password Reset Session Management
Type: Session Management
CVSSv3 Severity: 3.4 (Low)
Known Attacks: None
Description: When a user reset his or her password, Magento did not previously log out of existing sessions.
Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12
Fixed In: Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12
Reporter: Internal
SUPEE-10570
2 votes, 5.00 avg. rating (95% score)