Glossary ยป SUPEE-11219
S

SUPEE-11219

SUPEE-11219 is a Magento security patch released on October 8, 2019 with Magento CE1.9.4.3 and Magento Commerce 1.14.4.3. This patch contain multiple security enhancements that help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.

You can download SUPEE-11295 patch for your Magento version below, just right click and select “Save file as” from the table below.

Note: Install this and any other missing patches with our Magento patch installation service or upgrade to OpenMage LTS v19.4.15 (released on August 26, 2021).


Download SUPEE-11219

Magento versionSUPEE-11219MD5 checksum
Magento CE 1.5.1.0SUPEE-11219 1.5.1.019a7a97ec8d7130b38efbab170c7be3b
Magento CE 1.6.2.0SUPEE-11219 1.6.2.0143a63df207d2404391ae26f20c81c0a
Magento CE 1.7.0.2SUPEE-11219 1.7.0.2668c51a46447e7e1184873a5d53387c0
Magento CE 1.8.0.0SUPEE-11219 1.8.0.0847cfb31774804e491aa9ac5feb8cc76
Magento CE 1.8.1.0SUPEE-11219 1.8.1.060321764241e351813f446e9367af749
Magento CE 1.9.0.0SUPEE-11219 1.9.0.00f6960301834ab899f3207c9285dda4d
Magento CE 1.9.0.1SUPEE-11219 1.9.0.1cf4d4fef8319007fc6781ce121bfe0cf
Magento CE 1.9.1.0SUPEE-11219 1.9.1.0f99e102b1af274de04b1d2c9e19c324b
Magento CE 1.9.1.1SUPEE-11219 1.9.1.106e41f917197eab5b72edd7e8eb642b9
Magento CE 1.9.2.0SUPEE-11219 1.9.2.0b27e1e1bd57ff96d7ac06f384d65d318
Magento CE 1.9.2.1SUPEE-11219 1.9.2.1f3e5ced9bc7eedbf8e70c14ee46c45ed
Magento CE 1.9.2.2SUPEE-11219 1.9.2.20c3d376d7fbec0185ab1684ce54781ba
Magento CE 1.9.2.3SUPEE-11219 1.9.2.3f96ee89b1ec55f8fbcafef4a8f0a1531
Magento CE 1.9.2.4SUPEE-11219 1.9.2.4fcf7da04b1f40fb4d1748f691eaa5871
Magento CE 1.9.3.0SUPEE-11219 1.9.3.033269c966247e0bbe0996d913d38c66e
Magento CE 1.9.3.1SUPEE-11219 1.9.3.1f3d4375437b07561cc33c27328c6ffe9
Magento CE 1.9.3.2SUPEE-11219 1.9.3.2f4a1c1e940e1dbf6e2d806d8fb148301
Magento CE 1.9.3.3SUPEE-11219 1.9.3.3a23e322283efd79e558125418e2be3e1
Magento CE 1.9.3.4SUPEE-11219 1.9.3.47db38aa6e115bca1ac85269d99205957
Magento CE 1.9.3.6SUPEE-11219 1.9.3.601c97dba64239389f03ef6968cba284f
Magento CE 1.9.3.7SUPEE-11219 1.9.3.7728cd3a3fd108c7b5e1a979b3e1eb91f
Magento CE 1.9.3.8SUPEE-11219 1.9.3.8f6b9603c4886437b26d1bab897cb8a18
Magento CE 1.9.3.9SUPEE-11219 1.9.3.9c5c98f3687e64c823d43957e96cd4de5
Magento CE 1.9.3.10SUPEE-11219 1.9.3.1046f5e3dc2fb0f8331b883035b0637f35
Magento CE 1.9.4.0SUPEE-11219 1.9.4.08bccb4a7742b511f9932d214b75c5b8b
Magento CE 1.9.4.1SUPEE-11219 1.9.4.1aab2cb406e24f99f393d0ab918a733eb
Magento CE 1.9.4.2SUPEE-11219 1.9.4.27064c25d159f197bf25ffc36e1310a03
Magento CE 1.9.4.3Already included

Known issues



Files changed in the patch

app/code/core/Mage/Admin/Model/User.php
app/code/core/Mage/Admin/etc/config.xml
app/code/core/Mage/Admin/sql/admin_setup/upgrade-1.6.1.2-1.6.1.3.php
app/code/core/Mage/Adminhtml/Block/Api/User/Edit/Tab/Main.php
app/code/core/Mage/Adminhtml/Block/Catalog/Product/Attribute/Set/Main.php
app/code/core/Mage/Adminhtml/Block/Customer/Edit/Renderer/Newpass.php
app/code/core/Mage/Adminhtml/Block/Customer/Edit/Tab/Account.php
app/code/core/Mage/Adminhtml/Block/Newsletter/Queue/Preview.php
app/code/core/Mage/Adminhtml/Block/Newsletter/Template/Edit.php
app/code/core/Mage/Adminhtml/Block/Newsletter/Template/Preview.php
app/code/core/Mage/Adminhtml/Block/Permissions/Tab/Useredit.php
app/code/core/Mage/Adminhtml/Block/Permissions/User/Edit/Tab/Main.php
app/code/core/Mage/Adminhtml/Block/Sales/Order/View.php
app/code/core/Mage/Adminhtml/Block/System/Account/Edit/Form.php
app/code/core/Mage/Adminhtml/Block/System/Email/Template/Edit.php
app/code/core/Mage/Adminhtml/Block/Widget/Grid.php
app/code/core/Mage/Adminhtml/Model/Config/Data.php
app/code/core/Mage/Adminhtml/Model/LayoutUpdate/Validator.php
app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Locale.php
app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Passwordlength.php
app/code/core/Mage/Adminhtml/controllers/Api/UserController.php
app/code/core/Mage/Adminhtml/controllers/Catalog/CategoryController.php
app/code/core/Mage/Adminhtml/controllers/Catalog/Product/AttributeController.php
app/code/core/Mage/Adminhtml/controllers/Catalog/Product/SetController.php
app/code/core/Mage/Adminhtml/controllers/Catalog/SearchController.php
app/code/core/Mage/Adminhtml/controllers/Cms/PageController.php
app/code/core/Mage/Adminhtml/controllers/CustomerController.php
app/code/core/Mage/Adminhtml/controllers/IndexController.php
app/code/core/Mage/Adminhtml/controllers/Newsletter/TemplateController.php
app/code/core/Mage/Adminhtml/controllers/Permissions/BlockController.php
app/code/core/Mage/Adminhtml/controllers/Sales/OrderController.php
app/code/core/Mage/Adminhtml/controllers/System/ConfigController.php
app/code/core/Mage/Adminhtml/controllers/System/Email/TemplateController.php
app/code/core/Mage/Adminhtml/controllers/Tax/RuleController.php
app/code/core/Mage/Api/Model/User.php
app/code/core/Mage/Api/etc/config.xml
app/code/core/Mage/Api/sql/api_setup/mysql4-upgrade-1.6.0.1-1.6.0.2.php
app/code/core/Mage/Catalog/Block/Product/Abstract.php
app/code/core/Mage/Catalog/Block/Product/Compare/List.php
app/code/core/Mage/Catalog/Block/Product/Price.php
app/code/core/Mage/Catalog/Block/Product/View.php
app/code/core/Mage/Catalog/Helper/Product/Compare.php
app/code/core/Mage/Catalog/Model/Design.php
app/code/core/Mage/Catalog/etc/config.xml
app/code/core/Mage/Catalog/sql/catalog_setup/upgrade-1.6.0.0.19.1.5-1.6.0.0.19.1.6.php
app/code/core/Mage/Checkout/Block/Cart/Item/Renderer.php
app/code/core/Mage/Checkout/Helper/Cart.php
app/code/core/Mage/Checkout/Model/Session.php
app/code/core/Mage/Cms/Block/Widget/Block.php
app/code/core/Mage/Core/Block/Abstract.php
app/code/core/Mage/Core/Helper/Data.php
app/code/core/Mage/Core/Helper/String.php
app/code/core/Mage/Core/Model/App.php
app/code/core/Mage/Core/Model/Encryption.php
app/code/core/Mage/Core/Model/File/Uploader.php
app/code/core/Mage/Core/Model/Input/Filter/MaliciousCode.php
app/code/core/Mage/Core/Model/Layout/Validator.php
app/code/core/Mage/Core/Model/Resource/File/Storage/Database.php
app/code/core/Mage/Core/etc/config.xml
app/code/core/Mage/Core/etc/jstranslator.xml
app/code/core/Mage/Core/etc/system.xml
app/code/core/Mage/Core/sql/core_setup/upgrade-1.6.0.8-1.6.0.9.php
app/code/core/Mage/Core/sql/core_setup/upgrade-1.6.0.9-1.6.0.10.php
app/code/core/Mage/Customer/Block/Account/Changeforgotten.php
app/code/core/Mage/Customer/Block/Address/Renderer/Default.php
app/code/core/Mage/Customer/Block/Form/Register.php
app/code/core/Mage/Customer/Model/Customer.php
app/code/core/Mage/Customer/Model/Customer/Attribute/Backend/Password.php
app/code/core/Mage/Customer/etc/config.xml
app/code/core/Mage/Customer/etc/system.xml
app/code/core/Mage/Dataflow/Model/Convert/Container/Abstract.php
app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
app/code/core/Mage/Dataflow/Model/Convert/Parser/Xml/Excel.php
app/code/core/Mage/Dataflow/Model/Profile.php
app/code/core/Mage/Eav/Model/Entity/Attribute/Backend/Abstract.php
app/code/core/Mage/ImportExport/Model/Import/Adapter/Abstract.php
app/code/core/Mage/ImportExport/Model/Import/Entity/Abstract.php
app/code/core/Mage/Install/Block/Admin.php
app/code/core/Mage/Install/etc/config.xml
app/code/core/Mage/Review/controllers/ProductController.php
app/code/core/Mage/Rss/etc/config.xml
app/code/core/Mage/Widget/controllers/Adminhtml/Widget/InstanceController.php
app/code/core/Mage/Wishlist/Block/Abstract.php
app/code/core/Mage/Wishlist/Block/Customer/Wishlist/Item/Column/Cart.php
app/code/core/Mage/Wishlist/Block/Item/Configure.php
app/code/core/Mage/Wishlist/Block/Share/Email/Items.php
app/code/core/Mage/Wishlist/Helper/Data.php
app/code/core/Mage/XmlConnect/Helper/Translate.php
app/design/adminhtml/default/default/template/resetforgottenpassword.phtml
app/design/frontend/base/default/template/bundle/catalog/product/view/option_tierprices.phtml
app/design/frontend/base/default/template/catalog/product/list.phtml
app/design/frontend/base/default/template/catalog/product/new.phtml
app/design/frontend/base/default/template/catalog/product/price_msrp.phtml
app/design/frontend/base/default/template/catalog/product/price_msrp_item.phtml
app/design/frontend/base/default/template/catalog/product/price_msrp_noform.phtml
app/design/frontend/base/default/template/catalog/product/view/tierprices.phtml
app/design/frontend/base/default/template/reports/home_product_compared.phtml
app/design/frontend/base/default/template/reports/home_product_viewed.phtml
app/design/frontend/base/default/template/wishlist/item/column/remove.phtml
app/design/frontend/base/default/template/wishlist/item/configure/addto.phtml
app/design/frontend/base/default/template/wishlist/render/item/price_msrp_item.phtml
app/design/frontend/rwd/default/template/catalog/product/compare/list.phtml
app/design/frontend/rwd/default/template/catalog/product/list.phtml
app/design/frontend/rwd/default/template/catalog/product/list/related.phtml
app/design/frontend/rwd/default/template/catalog/product/view.phtml
app/design/frontend/rwd/default/template/catalog/product/view/addto.phtml
app/design/frontend/rwd/default/template/catalog/product/view/sharing.phtml
app/design/frontend/rwd/default/template/catalog/product/widget/new/content/new_grid.phtml
app/design/frontend/rwd/default/template/checkout/cart/crosssell.phtml
app/design/frontend/rwd/default/template/checkout/cart/item/default.phtml
app/design/frontend/rwd/default/template/checkout/cart/shipping.phtml
app/design/frontend/rwd/default/template/checkout/cart/sidebar/default.phtml
app/design/frontend/rwd/default/template/checkout/onepage/review/info.phtml
app/design/frontend/rwd/default/template/customer/form/changepassword.phtml
app/design/frontend/rwd/default/template/customer/form/edit.phtml
app/design/frontend/rwd/default/template/customer/form/resetforgottenpassword.phtml
app/design/frontend/rwd/default/template/downloadable/checkout/cart/item/default.phtml
app/design/frontend/rwd/default/template/email/catalog/product/list.phtml
app/design/frontend/rwd/default/template/persistent/checkout/onepage/billing.phtml
app/design/frontend/rwd/default/template/persistent/checkout/onepage/login.phtml
app/design/frontend/rwd/default/template/persistent/customer/form/login.phtml
app/design/frontend/rwd/default/template/persistent/customer/form/register.phtml
app/design/frontend/rwd/default/template/reports/widget/compared/content/compared_grid.phtml
app/design/frontend/rwd/default/template/reports/widget/viewed/content/viewed_grid.phtml
app/design/frontend/rwd/default/template/wishlist/item/column/cart.phtml
app/design/frontend/rwd/default/template/wishlist/shared.phtml
app/design/frontend/rwd/default/template/wishlist/sidebar.phtml
app/design/install/default/default/template/install/create_admin.phtml
app/locale/en_US/Mage_Adminhtml.csv
app/locale/en_US/Mage_Api.csv
app/locale/en_US/Mage_Core.csv
app/locale/en_US/Mage_Customer.csv
app/locale/en_US/Mage_Dataflow.csv
app/locale/en_US/Mage_Eav.csv
app/locale/en_US/Mage_XmlConnect.csv
js/mage/adminhtml/variables.js
js/prototype/validation.js
js/tiny_mce/plugins/media/editor_plugin.js
js/tiny_mce/plugins/media/editor_plugin_src.js
js/varien/js.js
lib/Varien/Filter/FormElementName.php
skin/adminhtml/default/default/boxes.css

Issues fixed in the patch

 
PRODSECBUG-2462: Remote code execution via file upload in admin import feature – CVE-2019-8114
Type: Remote Code Execution
CVSSv3 Severity: 9.1
Known Attacks: None
Description: A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with admin privileges to import features can execute arbitrary code via crafted configuration archieve file upload.
Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3
Reporter: sambecks
PRODSECBUG-2443: Remote code execution via crafted support configuration modification – CVE-2019-8125
Type: Remote Code Execution
CVSSv3 Severity: 9.1
Known Attacks: None
Description: A remote code execution vulnerability exists in Magento 1 prior to 1.9.x and 1.14.x. An authenticated admin user can modify configuration parameters via crafted support configuration. The modification can lead to remote code execution.
Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3.
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219
Reporter: Blaklis
PRODSECBUG-2492: Remote code execution via product layout update – CVE-2019-8091
Type: Remote Code Execution
CVSSv3 Severity: 9
Known Attacks: None
Description: A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3. An authenticated admin user with privileges to access product attributes can leverage layout updates to trigger remote code execution.
Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3.
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219
Reporter: Luke Rodgers
PRODSECBUG-2445: Insufficient logging and monitoring of configuration changes – CVE-2019-8123
Type: Insufficient logging and monitoring
CVSSv3 Severity: 3.3
Known Attacks: None
Description: An insufficient logging and monitoring vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. The logging feature required for effective monitoring did not contain sufficent data to effectively track configuration changes.
Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3
Reporter: Internal employee
PRODSECBUG-2344: Cross-Site Scripting via wysiwyg editor – CVE-2019-8152
Type: Cross-Site Scripting
CVSSv3 Severity: 4
Known Attacks: None
Description: A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3, Magento 1 prior to 1.9.4.3 and 1.14.4.3. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject malicious javascript in the cache of the admin dashboard.
Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219, Magento 2.2.10, Magenot 2.3.2-p1, Magento 2.3.3
Reporter: Simon Scannell
PRODSECBUG-2328: Sensitive information available in HTTP requests – CVE-2019-8155
Type: Information leakage
CVSSv3 Severity: 5.4
Known Attacks: None
Description: An information leakage vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3. Under certain conditions, the Magento application included a user’s CSRF token in the URL of a GET request. This could be exploited by an attacker with access to network traffic to perform unauthorized actions.
Product(s) Affected: Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3.
Fixed In: Magento Open Source 1.9.4.3, Magento Commerce 1.14.4.3, SUPEE-11219
Reporter: Pen-test

Related Posts

54 votes, 4.85 avg. rating (96% score)