SUPEE-10570, released on February 27, 2018 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS, and other issues.
Note: The patch is obsolete and replaced by SUPEE-10570v2.
| APPSEC-1932: Remote Code Execution Using XML Injection | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 9.8 (High) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert injectable XML into the layout table, which can create an opportunity for remote code execution. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1938: Remote Code Execution – additional fix not included in SUPEE-9652 | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 9.8 (High) |
| Known Attacks: | None |
| Description: | A user can insert information in a return path, thereby storing information on the file system that could lead to Remote Code Execution (RCE). |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570 |
| Reporter: | Cipriano Groenendal |
| APPSEC-1964: Remote Code Execution by (semi-)arbitrary file deletion for admin users with access to Import. | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 9.8 (High) |
| Known Attacks: | None |
| Description: | An administrator with Import permissions can import an XML file that could potentially provide an opportunity for Remote Code Execution (RCE). |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570 |
| Reporter: | Fabain |
| APPSEC-2000: Remote Code Execution in Staging Environment | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 7.2 (High) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can inject a malformed configuration bypass, which could potentially lead to a file redirection that could be leveraged for arbitrary remote code execution. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1944: Cross-Site Request Forgery in Store Backups | |
|---|---|
| Type: | Cross-Site Request Forgery (CSRF) |
| CVSSv3 Severity: | 6.4 (Medium) |
| Known Attacks: | None |
| Description: | An administrator can be tricked into performing a system backup by an attacker who has crafted a targeted Cross-Site Request forgery (CSRF) attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Boskostan |
| APPSEC-1878/1890: Cross-site Scripting in CMS hierarchy | |
|---|---|
| Type: | Cross-site Scripting (XSS) – stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert script into the CMS hierarchy, which could potentially result in a stored cross-site scripting that affects other administrators. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.2.3 |
| Reporter: | Max Chadwick and Magecraze |
| APPSEC-1908/1948: Cross-site Scripting in Custom Variables | |
|---|---|
| Type: | Cross-site Scripting (XSS) – stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert script in the custom variables name field, which could potentially result in stored cross-site scripting that affects other administrators. |
| Product(s) Affected: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Fixed In: | Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Reporter: | Magecraze |
| APPSEC-1916: Cross-site Scripting in Attribute Group Name | |
|---|---|
| Type: | Cross-site Scripting (XSS) – stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert script in the attribute group name field, which could potentially result in stored cross-site scripting that affects other administrators. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Magecraze |
| APPSEC-1928: Cross-site Scripting in Downloadable Products | |
|---|---|
| Type: | Cross-site Scripting (XSS) – stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert script in the downloadable product link title field, which could subsequently lead to a stored cross-site scripting attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Magecraze |
| APPSEC-1945: Cross-site Scripting in Product SKU | |
|---|---|
| Type: | |
| CVSSv3 Severity: | |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert script in the RMA SKU field, which could potentially result in a stored cross-site scripting attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Magecraze |
| APPSEC-1973: Cross-site Scripting in Newsletter Template | |
|---|---|
| Type: | Cross-site Scripting (XSS) – stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can embed cross-site scripting elements in the Newsletter template, which could potentially lead to a stored cross-site scripting attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1979/1980: Cross-site Scripting in Site Settings | |
|---|---|
| Type: | Cross-site Scripting (XSS) – stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can embed cross-site scripting elements in the Website Name/Store View Name setting, which could potentially lead to a stored cross-site scripting attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1995: Cross-site Scripting in Downloadable Products | |
|---|---|
| Type: | Cross-site Scripting (XSS) – stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert arbitrary code into product fields, which could potentially lead to a stored cross-site scripting attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Boskostan |
| APPSEC-1889: Cross-Site Request Forgery Protection Bypass | |
|---|---|
| Type: | Cross-Site Request Forgery (CSRF) |
| CVSSv3 Severity: | 4.9 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can craft a cross-site request to perform requests on behalf of another administrator. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Fabain |
| APPSEC-1553: Access to Gift Registries of Other Users | |
|---|---|
| Type: | Insecure Direct Object Reference (IDOR) |
| CVSSv3 Severity: | 4.8 (Medium) |
| Known Attacks: | None |
| Description: | A user can view gift registries that do not belong to them. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1026: Session Management | |
|---|---|
| Type: | Session Management |
| CVSSv3 Severity: | 3.9 (Low) |
| Known Attacks: | None |
| Description: | Active sessions persist after a password change. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570 |
| Reporter: | Vishnu_Vardhan_Reddy |
| APPSEC-1937: Insufficient privilege seperation | |
|---|---|
| Type: | Information Exposure |
| CVSSv3 Severity: | 3.9 (Low) |
| Known Attacks: | None |
| Description: | Weak protection checking can potentially lead to privilege escalation or information disclosure. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1967: Password Change Session Management | |
|---|---|
| Type: | Session Management |
| CVSSv3 Severity: | 3.4 (Low) |
| Known Attacks: | None |
| Description: | Magento did not previously terminate existing sessions when the currently logged-in user changed his or her password. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3 |
| Reporter: | Internal |
| APPSEC-1972: Password Reset Session Management |
|---|
| APPSEC-1972: Password Reset Session Management | |
|---|---|
| Type: | Session Management |
| CVSSv3 Severity: | 3.4 (Low) |
| Known Attacks: | None |
| Description: | When a user reset his or her password, Magento did not previously log out of existing sessions. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12 |
| Fixed In: | Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12 |
| Reporter: | Internal |