SUPEE-7405 is a bundle of patches for Magento 1.x that resolve several security-related issues. You can find more details on the vulnerabilities address by this patch below:
| Stored XSS via email address – APPSEC-1213 | |
|---|---|
| Type: | Cross-site Scripting (XSS) – Stored |
| CVSSv3 Severity: | 9.3 (Critical) |
| Known Attacks: | None |
| Description: | During customer registration on the storefront, a user can provide an email address that contains JavaScript code. Magento does not properly validate this email and executes it in Admin context when viewing the order in the backend. This JavaScript code can steal an administrator session or act on behalf of a store administrator. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3 |
| Reporter: | Marc-Alexandre Montpas |
| Stored XSS in Order Comments – APPSEC-1239 | |
|---|---|
| Type: | Cross-site Scripting (XSS) – Stored |
| CVSSv3 Severity: | 9.3 (Critical) |
| Known Attacks: | None |
| Description: | A user can append comments to an order using a specially crafted request that relies upon the PayFlow Pro payment module. Magento does not filter the request properly, which potentially results in JavaScript code being saved in database (see issue APPSEC-1240) and then executed server-side when the administrator tries to view the order. This attack can lead to a takeover of the administrator session or executing actions on behalf of administrator. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1 |
| Reporter: | Erik Wohllebe |
| Stored XSS in Order – APPSEC-1260 | |
|---|---|
| Type: | Cross-site Scripting (XSS) – Stored |
| CVSSv3 Severity: | 7.5 (High) |
| Known Attacks: | None |
| Description: | In certain configurations, Magento uses the HTTP_X_FORWARDED_FOR header as the customer IP address and displays it without sanitization in the Admin Panel. An attacker can use this header to inject JavaScript code into Order View forms in Admin Panel. The code is then executed when a user visits an Order View form, allowing the take over of an administrator session or for an unauthorized user to execute actions on behalf of an administrator. Note that we do not recommend using this header configuration setting. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3 |
| Reporter: | Peter O’Callaghan |
| Guest order view protection code vulnerable to brute-force attack – APPSEC-1270 | |
|---|---|
| Type: | Information Leakage |
| CVSSv3 Severity: | 7.5 (High) |
| Known Attacks: | None |
| Description: | The guest order view protection code makes it possible to access guest order information for some orders. (This is due to how the code is generated and compared with stored values.) While the attack cannot target a specific order or allow a user to view all orders, it can be used to extract order information from store. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1 |
| Reporter: | Peter O’Callaghan |
| Information Disclosure in RSS feed – APPSEC-1171 | |
|---|---|
| Type: | Information Leakage |
| CVSSv3 Severity: | 7.5 (High) |
| Known Attacks: | None |
| Description: | You can download order comments and other order-related information by providing special parameters to the RSS feed request. This information, depending on contents of the order comments, can disclose private information or be used to access customer account or other customer information. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3 |
| Reporter: | Egidio Romano |
| CSRF token not validated on backend login page – APPSEC-1206 | |
|---|---|
| Type: | Cross-site Request Forgery (CSRF) |
| CVSSv3 Severity: | 7.4 (High) |
| Known Attacks: | None |
| Description: | The lack of form protection on the Admin Login page enables potential request forgery attacks. These forgery attacks require the administrator to be tricked into clicking on a link by phishing or by link hiding. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3 |
| Reporter: | Alistair Stead |
| Malicious files can be upload via backend – APPSEC-1306 | |
|---|---|
| Type: | Insufficient Protection |
| CVSSv3 Severity: | 6.5 (Medium) |
| Known Attacks: | None |
| Description: | An administrator can upload a file containing executable code to the server as a logo file if they rename the file to a supported image file format. The issue is not exploitable by itself unless the administrator account that has access to configuration is hacked. However, site audits may flag this issue, and it can cause security audits (such as PCI) to fail. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3 |
| Reporter: | Magento Merchant |
| CSRF leading to execution of admin actions after login – APPSEC-1179 | |
|---|---|
| Type: | Cross-site Request Forgery (CSRF) |
| CVSSv3 Severity: | 6.1 (Medium) |
| Known Attacks: | None |
| Description: | A user can execute a CSRF attack on URLs that result in a server-side action (such as deleting customers) when the administrator is logged out. This action is not executed until the administrator logs in after the attack. The attack relies upon phishing — that is, it requires the administrator to click on a malicious link — and requires the administrator to log in after the attack. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3 |
| Reporter: | Clement Mezino |
| Excel Formula Injection via CSV/XML export – APPSEC-1110 | |
|---|---|
| Type: | Formula Injection |
| CVSSv3 Severity: | 6.1 (Medium) |
| Known Attacks: | None |
| Description: | We have found an additional attack path not covered by issue APPSEC-978, which was resolved in patch https://magento.com/security/patches/supee-5994 for Magento 1.x.A user can provide input that executes a formula when exported and opened in a spreadsheet such as Microsoft Excel. This formula could modify data, export personal data to another site, or cause remote code execution. The spreadsheet typically displays a warning message, which the user must dismiss, for the attack to succeed. Note: The code that protects against this attack modifies the exported file by prepending some fields with a space. As a result, this fix can lead to data inconsistency. (Data inconsistency might occur when fields, such as product name or description, start from =, + or – sign.) If this fix causes problems with your data processing, you can disable it. Be aware, however, that this protection is enabled by default. Disabling can lead to an increased security risk. To disable this fix, log in to the Admin Panel, then use the System tab to navigate to the Export CSV fields. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3 |
| Reporter: | Nikhil Srivastava |
| XSS in Product Custom Options – APPSEC-1267 | |
|---|---|
| Type: | Cross-site Scripting (XSS) – Stored |
| CVSSv3 Severity: | 5.9 (Medium) |
| Known Attacks: | None |
| Description: | When using products with custom option for file upload, a user can upload a file with a file name that contains JavaScript code. This code could be executed in the Admin Panel context by editing the quote that contains the product, allowing both for the takeover of an administrator session or for an unauthorized user to execute malicious actions on behalf of an administrator. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1 |
| Reporter: | Erik Wohllebe |
| Editing or Deleting Reviews without permission – APPSEC-1268 | |
|---|---|
| Type: | Insufficient Data Protection |
| CVSSv3 Severity: | 5.4 (Medium) |
| Known Attacks: | None |
| Description: | Insufficient verification of request parameters allows any user to delete or edit product reviews. The edited reviews are returned to a pending state. This attack does not depend on setting allowing guest users to post reviews. As a result, a malicious user could access the store for spamming purposes or delete all reviews from store. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1 |
| Reporter: | Peter O’Callaghan |
| Disruption of email delivery – APPSEC-1177 | |
|---|---|
| Type: | Denial of Service |
| CVSSv3 Severity: | 5.3 (Medium) |
| Known Attacks: | None |
| Description: | An error in the email address associated with a store newsletter can interfere with the sending of newsletter email. This error can constitute a Denial of Service attack. In some cases, including accented characters can generate this error. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1 |
| Reporter: | Benjamin Lessani |
| CAPTCHA Bypass – APPSEC-1283 | |
|---|---|
| Type: | Brute Force (Generic) / Insufficient Anti-automation |
| CVSSv3 Severity: | 5.3 (Medium) |
| Known Attacks: | None |
| Description: | A user can bypass CAPTCHA validation on the Magento frontend, which enables unrestricted password guessing attempts. Even with CAPTCHA protection enabled, this increases the risk of spam or password guessing attacks on customer accounts. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1 |
| Reporter: | Erik Wohllebe |
| Admin path disclosure via Authorize.net – APPSEC-1208 | |
|---|---|
| Type: | Information Disclosure (Internal) |
| CVSSv3 Severity: | 5.3 (Medium) |
| Known Attacks: | None |
| Description: | A user can identify the URL for the Magento Admin Panel by calling Authorize.net payment module URLs. While exposure of the Admin path isn’t a direct security issue, it makes it easier to carry out other malicious attacks, including password guessing or phishing. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3 |
| Reporter: | Erik Wohllebe |
| XSS Payload in website’s translation table – APPSEC-1214 | |
|---|---|
| Type: | Cross-site Scripting (XSS) – Stored |
| CVSSv3 Severity: | 4.7 (Medium) |
| Known Attacks: | None |
| Description: | When inline translations are enabled on the frontend, a user can inject a translation string that contains JavaScript code. This JavaScript code will be later included and executed on the affected pages for all users, which can lead to a session takeover or an information disclosure. This is a low risk issue as inline translations should never be enabled without limits on a production site. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3 |
| Reporter: | Marc-Alexandre Montpas |
| CSRF Delete Items from Cart – APPSEC-1212 | |
|---|---|
| Type: | Cross-site Request Forgery (CSRF) |
| CVSSv3 Severity: | 4.3 (Medium) |
| Known Attacks: | None |
| Description: | Magento does not validate the form key when deleting items from the shopping cart using a GET request. As a result, a user could use phishing emails or other malicious attacks to trick a customer into deleting items from his cart. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1 |
| Reporter: | Shabad Shashidar Reddy |
| XSS via custom options – APPSEC-1276 | |
|---|---|
| Type: | Cross-site Scripting (XSS) – Stored |
| CVSSv3 Severity: | 3.8 (Low) |
| Known Attacks: | None |
| Description: | A user can insert XSS JavaScript into a custom option title when creating it on the server side. The code can then be executed on the Magento frontend. Although this vulnerability does not directly enable a malicious attack on a store, such unvalidated input should not be allowed in a Magento installation. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3 |
| Reporter: | Allan MacGregor |
| Risky serialized string filtering – APPSEC-1204 | |
|---|---|
| Type: | Unsafe Code |
| CVSSv3 Severity: | 0 (Low) |
| Known Attacks: | None |
| Description: | Magento includes code to sanitize serialized strings and raises errors when an object is included. This code potentially allows specially crafted serialized objects to be unserialized by Magento, which can lead to possible malicious code execution. While the issue itself is not exploitable, a user can combine it with other attacks to support remote code execution. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3 |
| Reporter: | Taoguang Chen |
| Reflected XSS in backend coupon entry – APPSEC-1305 | |
|---|---|
| Type: | Cross-site Scripting (XSS) – Reflected |
| CVSSv3 Severity: | 0 (Low) |
| Known Attacks: | None |
| Description: | When working with an order that contains items in the shopping cart, an administrator can enter JavaScript into the coupon code field of the Manage Shopping Cart page. This JavaScript can be executed later. While this feature is not an exploitable security issue, site audits may flag this issue, and it can cause security audits (such as PCI) to fail. |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3 |
| Reporter: | Magento Merchant |
| Injected code can be stored in database – APPSEC-1240 | |
|---|---|
| Type: | Improper Input Handling |
| CVSSv3 Severity: | 0 (Low) |
| Known Attacks: | None |
| Description: | JavaScript code that is passed using the Payflow Pro payment module is not sanitized but is saved to the database. This issue by itself is not a security risk. (This issue is related to APPSEC-1239.) |
| Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1 |
| Fixed In: | CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1 |
| Reporter: | Internal |
Additionally, the patch resolves issues identified by Magento merchants after installing previous security patches:
- URLs are redirected to 404 page or installer
- Caching issues when running PHP 5.3.3 without PHP-FPM
- Block permissions code issue
- Password forgotten link redirects to login page
- Administrator password can be reused (Enterprise Edition only)