S

SUPEE-9767

SUPEE-9767 released on May 31, 2017 address several security issues, including Remote code execution through symlinks, Remote Code Execution in DataFlow, Remote Code Execution in the Admin panel, SQL injection in Visual Merchandiser and several XSS and CSRF issues.

NOTE:

Before applying the patch or upgrading to the latest release, make sure to disable Symlinks setting in System > Configuration > Advanced > Developer > Enable Symlinks. The setting, if enabled, will override configuration file setting and changing it will require direct database modification.

Patches and upgrades are available for the following Magento versions:

  • Enterprise Edition 1.9.0.0-1.14.3.2: SUPEE-9767 or upgrade to Enterprise Edition 1.14.3.3
  • Community Edition 1.5.0.1-1.9.3.2: SUPEE-9767 or upgrade to Community Edition 1.9.3.3

To download a patch or release, choose from the following options:

Partners:

Enterprise Edition 1.14.3.3 Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version 1.x Releases > Version 1.14.3.3
SUPEE-9767 Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – May 2017

Enterprise Edition Merchants:

Enterprise Edition 1.14.3.3 My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version
1.x Releases > Version 1.14.3.3
SUPEE-9767 My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – May 2017

Community Edition Merchants:

Community Edition 1.9.3.3 Community Edition Download Page > Release Archive Tab
SUPEE-9767 Community Edition Download Page > Release Archive Tab > Magento Community Edition Patches – 1.x Section

 

APPSEC-1281: Remote code execution through symlinks
Type: Remote Code Execution (RCE)
CVSSv3 Severity: 8.8 (High)
Known Attacks: Yes. Attackers are disabling a configuration protection after gaining admin access and are uploading malicious code.
Description: Use of the AllowSymlinks option in configuration settings can enable the upload of an image that contains malicious code. Although this option is disabled by default, an attacker with access to store configuration settings can enable it and remotely execute code.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Wilko Nienhaus
APPSEC-1777: Remote Code Execution in DataFlow
Type: Remote Code Execution (RCE)
CVSSv3 Severity: 8.8 (High)
Known Attacks: None
Description: Magento administrators with access to DataFlow functionality can use it to upload and execute arbitrary code.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Fabain
APPSEC-1686: Remote Code Execution in the Admin panel
Type: Remote Code Execution (RCE)
CVSSv3 Severity: 8.8 (High)
Known Attacks: None
Description: Store administrators with access to CMS functionality can remotely execute code.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7
Reporter: Fabain
APPSEC-1320: SQL injection in Visual Merchandiser (Enterprise Edition)
Type: SQL Injection
CVSSv3 Severity: 8.8 (High)
Known Attacks: None
Description: The Visual Merchandiser contains an SQL injection vulnerability that can potentially allow a user with Admin privileges to directly edit the database.
Product(s) Affected: Magento EE prior to 1.14.3.3
Fixed In: EE 1.14.3.3, SUPEE-9767
Reporter: Oleksandr Semchyshyn
APPSEC-1634: XSS in data fields
Type: Cross-Site Scripting (XSS, reflected)
CVSSv3 Severity: 8.7 (High)
Known Attacks: None
Description: Some Admin tables do not filter data, which provides an inadvertent opening for reflected cross-site scripting attacks.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Lipsum
APPSEC-1759: XSS in Admin panel configuration
Type: Cross-Site Scripting (XSS, stored)
CVSSv3 Severity: 8.1 (High)
Known Attacks: None
Description: A Magento administrator with access to configuration settings can enter malicious code that can be executed on other Admin panel pages.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Fabain
APPSEC-1549: CSRF after logout – form key not invalidated
Type: Cross-Site Request Forgery (CSRF)
CVSSv3 Severity: 8.0 (High)
Known Attacks: None
Description: Magento does not invalidate form keys on logout, which potentially allows an attacker to execute commands as administrator after the admin logs out.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Internal
APPSEC-1693: Bypassing ACLs in store configuration permissions
Type: Privilege Escalation
CVSSv3 Severity: 6.5 (Medium)
Known Attacks: None
Description: Administrators with limited permission to modify configuration settings can also edit PayPal or payment configuration settings despite lack of explicit permissions.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Peter O’Callaghan
APPSEC-1677: Local File Disclosure for admin users with access to dataflow
Type: Information Leak (system)
CVSSv3 Severity: 6.5 (Medium)
Known Attacks: None
Description: An authenticated administrator can use DataFlow to exfiltrate system files.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Fabain
APPSEC-1546: CSRF Vulnerability in Checkout feature
Type: Cross-Site Request Forgery (CSRF)
CVSSv3 Severity: 6.1 (Medium)
Known Attacks: None
Description: Checkout functionality is vulnerable to cross-site request forgery attacks. These types of attacks are typically executed by phishing emails or pages that allow attackers to modify or harvest payment details.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Internal
APPSEC-1597: Potential for user name enumeration
Type: Insufficient Data Protection
CVSSv3 Severity: 5.3 (Medium)
Known Attacks: None
Description: When a user tries to log in using an invalid username or password, the Magento authentication mechanism responds with a message that indicates whether the username is valid. A malicious user can use this information to build a list of registered users.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Internal
APPSEC-1695: CSRF cache management
Type: Cross-Site Request Forgery (CSRF)
CVSSv3 Severity: 4.7 (Medium)
Known Attacks: None
Description: Vulnerabilities in session cache management may provide an opening for a cross-site request forgery attack. These types of attacks can include malicious clearing of session data.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Peter O’Callaghan
APPSEC-1324: Customer passwords exposed in logs
Type: Information Disclosure / Leakage (Confidential or Restricted)
CVSSv3 Severity: 4.4 (Medium)
Known Attacks: None
Description: In certain configurations, and depending on previous customer actions, a log-in action can generate an exception. Magento logs this exception, which may contain customer passwords, on the server.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter: Peter O’Callaghan
APPSEC-1675: Cross-site Request Forgery Vulnerability in Enterprise Edition (EE) Invites
Type: Cross-Site Request Forgery (CSRF)
CVSSv3 Severity: 3.4 (Low)
Known Attacks: None
Description: The Magento EE private sale invite feature is not protected against cross-site request forgery attacks. This vulnerability potentially allows an attacker to invite himself to/register on a restricted access site.
Product(s) Affected: Magento EE prior to 1.14.3.3
Fixed In: EE 1.14.3.3, SUPEE-9767
Reporter: Peter O’Callaghan
APPSEC-1659: Vulnerabilities in JavaScript libraries
Type: Misc Vulnerabilities
CVSSv3 Severity: 0 (Low)
Known Attacks: None
Description: Magento uses versions of JavaScript libraries with known security vulnerabilities. Magento does not use the vulnerable functionality, and no Magento-specific attack vector has been found. However, out of caution, we’ve updated the JavaScript libraries in question to the latest versions. Note: this issue does not affect Magento CE version prior to 1.9.0.0 and Magento EE versions prior to 1.14.0.0.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7 allin
Reporter: Internal
APPSEC-1622: Incorrect routing of requests
Type: Abuse of Functionality
CVSSv3 Severity: 0 (None)
Known Attacks: None
Description: Incorrect request routing can enable the bypassing of web server protections, which in turn provides potentially malicious users access to the server.
Product(s) Affected: Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7
Fixed In: CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7 allin
Reporter: Internal
SUPEE-9767
0 votes, 0.00 avg. rating (0% score)