You can download SUPEE-11155v4 patch for your Magento version on this page, just right click and select “Save file as” from the table below.
It can be applied in the same way as any previous patch, i.e. SUPEE-11086 or via our patch installation service along with all missing security patches at once.
Fixed issues and enhancements
- MPERF-10565, The Magento logging feature now works as expected after the SUPEE-11086 patch is installed. Previously, after application of this patch, Magento could only write only to a file that already existed on the server, and did not create new log files.
- Magento 1.14.4.0 and the PHP7.2 support patch now include the same files as expected. The previous version of the patch did not include the following three files, which were included in Magento 1.14.4.0. Magento 1.14.4.0: lib/phpseclib/PHP/Compat/Function/array_fill.php, lib/phpseclib/PHP/Compat/Function/bcpowmod.php, and lib/phpseclib/PHP/Compat/Function/str_split.php
Known issues
The extensive security enhancements we’ve included to this release have resulted in the following changes to Magento behavior:- You can no longer upload files with the extension
.swfto the WYSIWYG editor. - Quotes created by customers who are logged in as guest are no longer accessible after a Magento update. Third-party checkout extensions and closed security cases will either not not work securely or will not work at all.
- The Authorize.net Direct Post module has been enhanced to support the replacement of Authorize.net’s MD5-based hash with a (SHA-512) signature key. Authorize.net will no longer support implementations using the MD5-based hash as of June 28, 2019. You will need to update your signature key after upgrading to this version of Magento. For information about updating your signature key, see the Get a New Signature Key discussion in the Update Authorize.Net Direct Post from MD5 to SHA-512 help article. Note that although this help article describes how to install the earlier patch, merchants upgrading to this release of Magento are not applying the patch and should consult only the Get a New Signature Key discussion. If you’ve applied the patch to your Magento installation while running an earlier version of Magento, uninstall the Update Authorize.Net Direct Post from MD5 to SHA-512 patch before upgrading to this release.
- You can no longer preview JavaScript in a newsletter template in the Admin.
- Sitemap names cannot exceed 32 characters.
Download SUPEE-11155 (version 4)
| Magento version | SUPEE-11155v4 | MD5 checksum |
|---|---|---|
| Magento CE 1.5.1.0 | SUPEE-11155 1.5.1.0 | 803f3c48835231b768c3570a5374b681 |
| Magento CE 1.6.2.0 | SUPEE-11155 1.6.2.0 | 9bffba595f5b9a736785c1a044d60c0b |
| Magento CE 1.7.0.2 | SUPEE-11155 1.7.0.2 | 46b22c1a02f503dca974c5602c769aea |
| Magento CE 1.8.0.0 | SUPEE-11155 1.8.0.0 | b1b874db4709056d9666e81dee8009de |
| Magento CE 1.8.1.0 | SUPEE-11155 1.8.1.0 | e4a020abe18db64fa0da783928715bef |
| Magento CE 1.9.0.0 | SUPEE-11155 1.9.0.0 | 8ee13d044b9f97c59daac39b511b06e8 |
| Magento CE 1.9.0.1 | SUPEE-11155 1.9.0.1 | fd39d6a9ed9ec63e9863386ee7e1dfad |
| Magento CE 1.9.1.0 | SUPEE-11155 1.9.1.0 | 1e3ac97c3565686989ed05b8bde7bf24 |
| Magento CE 1.9.1.1 | SUPEE-11155 1.9.1.1 | 3a33fccd2bb79fc48506551468dfa5c0 |
| Magento CE 1.9.2.0 | SUPEE-11155 1.9.2.0 | 04244fdd09fcc47aeaab6784ae141417 |
| Magento CE 1.9.2.1 | SUPEE-11155 1.9.2.1 | 23d3842450b0e0fec3f8ea6e39a4edd6 |
| Magento CE 1.9.2.2 | SUPEE-11155 1.9.2.2 | cf7f08a6645a2e353a4f34846d8d4ab0 |
| Magento CE 1.9.2.3 | SUPEE-11155 1.9.2.3 | 777aca82c2e93ce7c5d108f09c1d2a1c |
| Magento CE 1.9.2.4 | SUPEE-11155 1.9.2.4 | afdf117e6cdc7c705dec07cdf76323ca |
| Magento CE 1.9.3.0 | SUPEE-11155 1.9.3.0 | cd0e0413f565654977c917524a40c01f |
| Magento CE 1.9.3.1 | SUPEE-11155 1.9.3.1 | 4d0d69ac76cce7313a59ee58f34136e4 |
| Magento CE 1.9.3.2 | SUPEE-11155 1.9.3.2 | c8ab31c92f6411f1196d90e2054e00ab |
| Magento CE 1.9.3.3 | SUPEE-11155 1.9.3.3 | c357103712d746fe8aefa5f1642a3a97 |
| Magento CE 1.9.3.4 | SUPEE-11155 1.9.3.4 | fcadcf0858992aa8ff33e211af80910b |
| Magento CE 1.9.3.6 | SUPEE-11155 1.9.3.6 | 743ff8a24a4e5d5e3e125eda20c0e056 |
| Magento CE 1.9.3.7 | SUPEE-11155 1.9.3.7 | 2020331020f4c9d170012633c78f4e3e |
| Magento CE 1.9.3.8 | SUPEE-11155 1.9.3.8 | 59eabb5cedc515e887adaf6877aa3cef |
| Magento CE 1.9.3.9 | SUPEE-11155 1.9.3.9 | c99ffaae3b58b145628cebace2dc1b5d |
| Magento CE 1.9.3.10 | SUPEE-11155 1.9.3.10 | cf94c44f98fa700fe5c747689a84a123 |
| Magento CE 1.9.4.0 | SUPEE-11155 1.9.4.0 | fe78fe3b2f1f96bd6a81e0749155d6dd |
| Magento CE 1.9.4.1 | SUPEE-11155 1.9.4.1 | 73460f3106270a94c0b97390406ffe78 |
| Magento CE 1.9.4.2 | the patch is already included | |
| OpenMage v19.4.3 | the patch is already included |
Issues fixed in the patch
| PRODSECBUG-2289: Arbitrary code execution in the advanced admin logging configuration – CVE-2019-7893 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | none |
| Description: | A user with administrator privileges and access to the advanced admin logging configuration can trigger remote code execution via PHP Object Injection. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Luke Rodgers |
| PRODSECBUG-2262: Arbitrary code execution by importing malicious dataflow profiles – CVE-2019-7884 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to edit block permission, import dataflow functionality, and modify CMS content can execute arbitrary code by importing malicious dataflow profiles. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Peter O’Callaghan |
| PRODSECBUG-2351: Arbitrary code execution via crafted sitemap creation – CVE-2019-7932 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.0 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges to create sitemaps can execute arbitrary code by crafted filenames that include php extension within the XML filename. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Simon Scannell |
| PRODSECBUG-2324: PHP Object Injection in the Currency setup feature can lead to arbitrary code execution – CVE-2019-7914 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.0 |
| Known Attacks: | none |
| Description: | A PHP Object Injection vulnerability in the currency setup feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2382: PHP Object Injection in the Admin Actions Logging feature can lead to arbitrary code execution – CVE-2019-7946 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.7 |
| Known Attacks: | none |
| Description: | A PHP Object Injection vulnerability in the admin actions logging configuration feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2312: PHP Object Injection in the Model Design Package can lead to arbitrary code execution – CVE-2019-7906 | |
|---|---|
| Type: | Injections: SQL Injection |
| CVSSv3 Severity: | 8.7 |
| Known Attacks: | none |
| Description: | A PHP Object Injection vulnerability in the model design package can be exploited by an authenticated user with administrator privileges to execute arbitrate code. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2311: PHP Object Injection in the Enterprise Logging feature can lead to arbitrary code execution – CVE-2019-7905 | |
|---|---|
| Type: | Injections: SQL Injection |
| CVSSv3 Severity: | 8.7 |
| Known Attacks: | none |
| Description: | A PHP Object Injection vulnerability in the enterprise logging configuration feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2431: Remote code execution via dataflow import and catalog functionality – CVE-2019-7952 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.4 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges can execute arbitrary code via layout upates when using crafted combination of data flow import and catalog categories . |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2320: Arbitrary code execution due to unsafe handling of system configuration – CVE-2019-7911 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 7.9 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges to manipulate system configuration can execute arbitrary code through server-side request forgery. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2319: Arbitrary code execution due to unsafe handling of payment bridge gateway – CVE-2019-7910 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 7.9 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges to manipulate payment methods can execute arbitrary code through server-side request forgery. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2313: Arbitrary code execution due to unsafe deserialization of configuration fields – CVE-2019-7907 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 7.6 |
| Known Attacks: | none |
| Description: | An authenticated user with configuration privileges can execute arbitrary code due to unserialization of user controlled configuration values. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Edgar Boda-Majer |
| PRODSECBUG-2317: Stored cross-site scripting in admin panel – CVE-2019-7909 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Peter O’Callaghan |
| PRODSECBUG-2226: Stored cross-site scripting in the admin panel – CVE-2019-7875 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Roberto Suggi Liverani |
| PRODSECBUG-2352: Stored cross-site scripting in the admin panel – CVE-2019-7933 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Roberto Suggi Liverani |
| PRODSECBUG-2334: Stored cross-site scripting in the admin panel – CVE-2019-7920 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2333: Stored cross-site scripting in the admin panel – CVE-2019-7919 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2275: Unsafe functionality is exposed via email templates manipulation – CVE-2019-7889 | |
|---|---|
| Type: | General: injection |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | An authenticated user with marketing manipulation privileges can invoke methods that alter data of the underlying model followed by corresponding database modifications. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Blaklis |
| PRODSECBUG-2299: Stored cross-site scripting in the admin panel – CVE-2019-7897 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Karim El Ouerghemmi |
| PRODSECBUG-2304: Stored cross-site scripting in the admin panel – CVE-2019-7901 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2303: Stored cross-site scripting in the admin panel – CVE-2019-7900 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2234: Stored cross-site scripting in the admin panel – CVE-2019-7878 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Peter O’Callaghan |
| PRODSECBUG-2380: Stored cross-site scripting in the Currency Symbols field – CVE-2019-7945 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to the Currency Symbols functionality can inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2353: Stored cross-site scripting in the admin panel – CVE-2019-7934 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Roberto Suggi Liverani |
| PRODSECBUG-2363: Stored cross-site scripting in the admin panel – CVE-2019-7935 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2371: Stored cross-site scripting in the admin panel – CVE-2019-7940 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2378: Stored cross-site scripting in the Return Product comments feature – CVE-2019-7944 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the product comments field. Authenticated user with privileges to the Return Product comments field can inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2369: Stored cross-site scripting in the admin panel – CVE-2019-7938 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Karim El Ouerghemmi |
| PRODSECBUG-2068: Stored cross-site scripting in the admin panel – CVE-2019-7848 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Luke Rodgers |
| PRODSECBUG-2295: Use of cryptographically weak PRNG when autogenerating gift card codes – CVE-2019-7894 | |
|---|---|
| Type: | General: Cryptographic/Encryption/Hashing Flaw |
| CVSSv3 Severity: | 5.3 |
| Known Attacks: | none |
| Description: | An authenticated user can discover regularity in automated gift card generation due to use of cryptographically weak pseudo random number generator. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2300: Information about disabled products can be leaked due to inadequate validation checks – CVE-2019-7898 | |
|---|---|
| Type: | General: Information Leakage |
| CVSSv3 Severity: | 5.3 |
| Known Attacks: | none |
| Description: | Inadequate validation can lead to disclosure of downloadable product samples even if marked as disabled. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Edgar Boda-Majer |
| PRODSECBUG-2241: Email functionality can be abused for SPAM or spoofing activities – CVE-2019-7879 | |
|---|---|
| Type: | Others: Denial of Service |
| CVSSv3 Severity: | 5.3 |
| Known Attacks: | none |
| Description: | The default configuration of the Magento “Email to a friend” feature can be abused by an attacker to send SPAM or spoofed emails. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | KAnev |
| PRODSECBUG-2270: Reflected cross-site scripting in the admin panel – CVE-2019-7887 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.0 |
| Known Attacks: | none |
| Description: | A reflected cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | SmashITs |
| PRODSECBUG-2282: Deletion of terms and Conditions via cross-site request forgery (CSRF) – CVE-2019-7891 | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.0 |
| Known Attacks: | none |
| Description: | An attacker can delete Terms and Conditions within the context of an authenticated administrator’s session through cross-site request forgery (CSRF) |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Djordje Marjanovic |
| PRODSECBUG-2246: Stored cross-site scripting in the WYSIWYG editor – CVE-2019-7882 | |
|---|---|
| Type: | General: injection |
| CVSSv3 Severity: | 4.8 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the WYSIWYG editor. This could be exploited by an authenticated user with privileges to the editor to inject malicious SWF files. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | KAnev |
| PRODSECBUG-2395: Customer passwords are stored as plain-text in the accounts database when certain error conditions exist – CVE-2019-7948 | |
|---|---|
| Type: | General: Cryptographic/Encryption/Hashing Flaw |
| CVSSv3 Severity: | 4.5 |
| Known Attacks: | none |
| Description: | A privileged administrator with access to the accounts database can read plain-text passwords when certain error conditions occur in the account creation process. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Kevin Schroeder |
| PRODSECBUG-2301: Names of disabled products can be leaked due to inadequate validation checks – CVE-2019-7899 | |
|---|---|
| Type: | General: Information Leakage |
| CVSSv3 Severity: | 4.3 |
| Known Attacks: | none |
| Description: | Inadequate validation can lead to disclosure of product names even if marked as disabled. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Edgar Boda-Majer |
| PRODSECBUG-2331: Weak password requirements when registering an account – CVE-2019-7918 | |
|---|---|
| Type: | General: Cryptographic/Encryption/Hashing Flaw |
| CVSSv3 Severity: | 4.3 |
| Known Attacks: | none |
| Description: | Users can set weak password when registering for new accounts making it amenable to brute-force attacks. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2095: Defense-in-depth session validation check implemented – CVE-2019-7849 | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Broken Authentication and Session Management |
| CVSSv3 Severity: | 3.7 |
| Known Attacks: | none |
| Description: | A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Roger-Keulen |
| PRODSECBUG-2330: Insecure user credential storage – CVE-2019-7917 | |
|---|---|
| Type: | General: Cryptographic/Encryption/Hashing Flaw |
| CVSSv3 Severity: | 3.7 |
| Known Attacks: | none |
| Description: | User passwords are stored using an algorithm that is insufficiently resistant against brute force attacks. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2329: Use of insufficiently random values in multiple security relevant contexts – CVE-2019-7916 | |
|---|---|
| Type: | General: Cryptographic/Encryption/Hashing Flaw |
| CVSSv3 Severity: | 3.7 |
| Known Attacks: | none |
| Description: | Cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts (e.g., anti-CSRF tokens) allowing malicious user to predict random values. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-1912: Insecure Direct Object Reference (IDOR) vulnerability can remove gift registry recipients – CVE-2019-7847 | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Insecure Direct Object Reference |
| CVSSv3 Severity: | 3.7 |
| Known Attacks: | none |
| Description: | An Insecure Direct Object Reference (IDOR) vulnerability in the gift registry feature can lead to unauthorized removal of gift recipient details. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Peter O’Callaghan |
| PRODSECBUG-2387: Cross site request forgery attacks are possible via the gift card removal feature – CVE-2019-7947 | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 3.1 |
| Known Attacks: | none |
| Description: | A cross-site request forgery vulnerability exists in the GiftCardAccount removal feature |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Anonymously reported |
| PRODSECBUG-2305: Deletion of reviews via cross-site request forgery (CSRF) – CVE-2019-7902 | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 2.2 |
| Known Attacks: | none |
| Description: | A cross-site request forgery (CSRF) bug in the reviews feature could be abused to delete a customer review. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Djordje Marjanovic |
| PRODSECBUG-2372: PHP Object Injection in the Currency setup feature can lead to arbitrary code execution - | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | |
| Known Attacks: | none |
| Description: | A PHP Object Injection vulnerability in the currency setup feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2. |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155 |
| Reporter: | Max Chadwick |
Please refer to Security Best Practices for additional information on how to secure your site.
Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.