S

SUPEE-7405

SUPEE-7405 is a bundle of patches for Magento 1.x that resolve several security-related issues. You can find more details on the vulnerabilities address by this patch below:

Stored XSS via email address – APPSEC-1213
Type: Cross-site Scripting (XSS) – Stored
CVSSv3 Severity: 9.3 (Critical)
Known Attacks: None
Description: During customer registration on the storefront, a user can provide an email address that contains JavaScript code. Magento does not properly validate this email and executes it in Admin context when viewing the order in the backend. This JavaScript code can steal an administrator session or act on behalf of a store administrator.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In: CE 1.9.2.3, EE 1.14.2.3
Reporter: Marc-Alexandre Montpas
Stored XSS in Order Comments – APPSEC-1239
Type: Cross-site Scripting (XSS) – Stored
CVSSv3 Severity: 9.3 (Critical)
Known Attacks: None
Description: A user can append comments to an order using a specially crafted request that relies upon the PayFlow Pro payment module. Magento does not filter the request properly, which potentially results in JavaScript code being saved in database (see issue APPSEC-1240) and then executed server-side when the administrator tries to view the order. This attack can lead to a takeover of the administrator session or executing actions on behalf of administrator.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In: CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter: Erik Wohllebe
Stored XSS in Order – APPSEC-1260
Type: Cross-site Scripting (XSS) – Stored
CVSSv3 Severity: 7.5 (High)
Known Attacks: None
Description: In certain configurations, Magento uses the HTTP_X_FORWARDED_FOR header as the customer IP address and displays it without sanitization in the Admin Panel. An attacker can use this header to inject JavaScript code into Order View forms in Admin Panel. The code is then executed when a user visits an Order View form, allowing the take over of an administrator session or for an unauthorized user to execute actions on behalf of an administrator. Note that we do not recommend using this header configuration setting.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In: CE 1.9.2.3, EE 1.14.2.3
Reporter: Peter O’Callaghan
Guest order view protection code vulnerable to brute-force attack – APPSEC-1270
Type: Information Leakage
CVSSv3 Severity: 7.5 (High)
Known Attacks: None
Description: The guest order view protection code makes it possible to access guest order information for some orders. (This is due to how the code is generated and compared with stored values.) While the attack cannot target a specific order or allow a user to view all orders, it can be used to extract order information from store.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In: CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter: Peter O’Callaghan
Information Disclosure in RSS feed – APPSEC-1171
Type: Information Leakage
CVSSv3 Severity: 7.5 (High)
Known Attacks: None
Description: You can download order comments and other order-related information by providing special parameters to the RSS feed request. This information, depending on contents of the order comments, can disclose private information or be used to access customer account or other customer information.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In: CE 1.9.2.3, EE 1.14.2.3
Reporter: Egidio Romano
CSRF token not validated on backend login page – APPSEC-1206
Type: Cross-site Request Forgery (CSRF)
CVSSv3 Severity: 7.4 (High)
Known Attacks: None
Description: The lack of form protection on the Admin Login page enables potential request forgery attacks. These forgery attacks require the administrator to be tricked into clicking on a link by phishing or by link hiding.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In: CE 1.9.2.3, EE 1.14.2.3
Reporter: Alistair Stead
Malicious files can be upload via backend – APPSEC-1306
Type: Insufficient Protection
CVSSv3 Severity: 6.5 (Medium)
Known Attacks: None
Description: An administrator can upload a file containing executable code to the server as a logo file if they rename the file to a supported image file format. The issue is not exploitable by itself unless the administrator account that has access to configuration is hacked. However, site audits may flag this issue, and it can cause security audits (such as PCI) to fail.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In: CE 1.9.2.3, EE 1.14.2.3
Reporter: Magento Merchant
CSRF leading to execution of admin actions after login – APPSEC-1179
Type: Cross-site Request Forgery (CSRF)
CVSSv3 Severity: 6.1 (Medium)
Known Attacks: None
Description: A user can execute a CSRF attack on URLs that result in a server-side action (such as deleting customers) when the administrator is logged out. This action is not executed until the administrator logs in after the attack. The attack relies upon phishing — that is, it requires the administrator to click on a malicious link — and requires the administrator to log in after the attack.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In: CE 1.9.2.3, EE 1.14.2.3
Reporter: Clement Mezino
Excel Formula Injection via CSV/XML export – APPSEC-1110
Type: Formula Injection
CVSSv3 Severity: 6.1 (Medium)
Known Attacks: None
Description: We have found an additional attack path not covered by issue APPSEC-978, which was resolved in patch https://magento.com/security/patches/supee-5994 for Magento 1.x.A user can provide input that executes a formula when exported and opened in a spreadsheet such as Microsoft Excel. This formula could modify data, export personal data to another site, or cause remote code execution. The spreadsheet typically displays a warning message, which the user must dismiss, for the attack to succeed.

Note: The code that protects against this attack modifies the exported file by prepending some fields with a space. As a result, this fix can lead to data inconsistency. (Data inconsistency might occur when fields, such as product name or description, start from =, + or – sign.)

If this fix causes problems with your data processing, you can disable it. Be aware, however, that this protection is enabled by default. Disabling can lead to an increased security risk.

To disable this fix, log in to the Admin Panel, then use the System tab to navigate to the Export CSV fields.

Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In: CE 1.9.2.3, EE 1.14.2.3
Reporter: Nikhil Srivastava
XSS in Product Custom Options – APPSEC-1267
Type: Cross-site Scripting (XSS) – Stored
CVSSv3 Severity: 5.9 (Medium)
Known Attacks: None
Description: When using products with custom option for file upload, a user can upload a file with a file name that contains JavaScript code. This code could be executed in the Admin Panel context by editing the quote that contains the product, allowing both for the takeover of an administrator session or for an unauthorized user to execute malicious actions on behalf of an administrator.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In: CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter: Erik Wohllebe
Editing or Deleting Reviews without permission – APPSEC-1268
Type: Insufficient Data Protection
CVSSv3 Severity: 5.4 (Medium)
Known Attacks: None
Description: Insufficient verification of request parameters allows any user to delete or edit product reviews. The edited reviews are returned to a pending state. This attack does not depend on setting allowing guest users to post reviews. As a result, a malicious user could access the store for spamming purposes or delete all reviews from store.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In: CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter: Peter O’Callaghan
Disruption of email delivery – APPSEC-1177
Type: Denial of Service
CVSSv3 Severity: 5.3 (Medium)
Known Attacks: None
Description: An error in the email address associated with a store newsletter can interfere with the sending of newsletter email. This error can constitute a Denial of Service attack. In some cases, including accented characters can generate this error.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In: CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter: Benjamin Lessani
CAPTCHA Bypass – APPSEC-1283
Type: Brute Force (Generic) / Insufficient Anti-automation
CVSSv3 Severity: 5.3 (Medium)
Known Attacks: None
Description: A user can bypass CAPTCHA validation on the Magento frontend, which enables unrestricted password guessing attempts. Even with CAPTCHA protection enabled, this increases the risk of spam or password guessing attacks on customer accounts.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In: CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter: Erik Wohllebe
Admin path disclosure via Authorize.net – APPSEC-1208
Type: Information Disclosure (Internal)
CVSSv3 Severity: 5.3 (Medium)
Known Attacks: None
Description: A user can identify the URL for the Magento Admin Panel by calling Authorize.net payment module URLs. While exposure of the Admin path isn’t a direct security issue, it makes it easier to carry out other malicious attacks, including password guessing or phishing.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In: CE 1.9.2.3, EE 1.14.2.3
Reporter: Erik Wohllebe
XSS Payload in website’s translation table – APPSEC-1214
Type: Cross-site Scripting (XSS) – Stored
CVSSv3 Severity: 4.7 (Medium)
Known Attacks: None
Description: When inline translations are enabled on the frontend, a user can inject a translation string that contains JavaScript code. This JavaScript code will be later included and executed on the affected pages for all users, which can lead to a session takeover or an information disclosure. This is a low risk issue as inline translations should never be enabled without limits on a production site.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In: CE 1.9.2.3, EE 1.14.2.3
Reporter: Marc-Alexandre Montpas
CSRF Delete Items from Cart – APPSEC-1212
Type: Cross-site Request Forgery (CSRF)
CVSSv3 Severity: 4.3 (Medium)
Known Attacks: None
Description: Magento does not validate the form key when deleting items from the shopping cart using a GET request. As a result, a user could use phishing emails or other malicious attacks to trick a customer into deleting items from his cart.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In: CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter: Shabad Shashidar Reddy
XSS via custom options – APPSEC-1276
Type: Cross-site Scripting (XSS) – Stored
CVSSv3 Severity: 3.8 (Low)
Known Attacks: None
Description: A user can insert XSS JavaScript into a custom option title when creating it on the server side. The code can then be executed on the Magento frontend. Although this vulnerability does not directly enable a malicious attack on a store, such unvalidated input should not be allowed in a Magento installation.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In: CE 1.9.2.3, EE 1.14.2.3
Reporter: Allan MacGregor
Risky serialized string filtering – APPSEC-1204
Type: Unsafe Code
CVSSv3 Severity: 0 (Low)
Known Attacks: None
Description: Magento includes code to sanitize serialized strings and raises errors when an object is included. This code potentially allows specially crafted serialized objects to be unserialized by Magento, which can lead to possible malicious code execution. While the issue itself is not exploitable, a user can combine it with other attacks to support remote code execution.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In: CE 1.9.2.3, EE 1.14.2.3
Reporter: Taoguang Chen
Reflected XSS in backend coupon entry – APPSEC-1305
Type: Cross-site Scripting (XSS) – Reflected
CVSSv3 Severity: 0 (Low)
Known Attacks: None
Description: When working with an order that contains items in the shopping cart, an administrator can enter JavaScript into the coupon code field of the Manage Shopping Cart page. This JavaScript can be executed later. While this feature is not an exploitable security issue, site audits may flag this issue, and it can cause security audits (such as PCI) to fail.
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3
Fixed In: CE 1.9.2.3, EE 1.14.2.3
Reporter: Magento Merchant
Injected code can be stored in database – APPSEC-1240
Type: Improper Input Handling
CVSSv3 Severity: 0 (Low)
Known Attacks: None
Description: JavaScript code that is passed using the Payflow Pro payment module is not sanitized but is saved to the database. This issue by itself is not a security risk. (This issue is related to APPSEC-1239.)
Product(s) Affected: Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In: CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter: Internal

Additionally, the patch resolves issues identified by Magento merchants after installing previous security patches:

  • URLs are redirected to 404 page or installer
  • Caching issues when running PHP 5.3.3 without PHP-FPM
  • Block permissions code issue
  • Password forgotten link redirects to login page
  • Administrator password can be reused (Enterprise Edition only)
SUPEE-7405
0 votes, 0.00 avg. rating (0% score)