[SingCERT] Magento Commerce and Open Source Security Update

Published on 28 Jun 2019

Updated on 23 Oct 2019

Background

Magento has announced the release of 75 security patches to address vulnerabilities affecting its Magento Commerce and Open Source products.

The following vulnerabilities have a Common Vulnerability Scoring System (CVSS) v3.0 severity base score of 9 and above out of 10.

  • PRODSECBUG-2296: Arbitrary code execution through design layout update - CVE-2019-7895:  Attackers with access to user accounts that have admin privileges, can execute arbitrary code through a crafted eXtensible Markup Language (XML) layout update.
  • PRODSECBUG-2298: Arbitrary code execution through product imports and design layout update - CVE-2019-7896: Attackers with access to user accounts that have admin privileges, can execute arbitrary code through a combination of product import via crafted comma-separated values (csv) file and XML layout update.
  • PRODSECBUG-2349: Arbitrary code execution via file upload in admin import feature - CVE-2019-7930: Attackers with access to user accounts that have admin privileges to the import feature, can execute arbitrary code by uploading a malicious csv file.
  • PRODSECBUG-2202: Security bypass via form data injection - CVE-2019-7871: Attackers with access to user accounts that have admin privileges, can inject form data and bypass security protection that prevent arbitary PHP script upload.
  • PRODSECBUG-2375: Arbitrary code execution via malicious XML layouts - CVE-2019-7942: Attackers with access to user accounts that have admin privileges, can execute arbitrary code when creating a product via malicious XML layouts.
  • PRODSECBUG-2306: Remote code execution through crafted email templates - CVE-2019-7903: Attackers with access to user accounts that have admin privileges, can execute arbitrary code through crafted email template code when previewing the template.
  • PRODSECBUG-2350: MySQL Error through crafted Elasticsearch query - CVE-2019-7931: An attacker can tamper with search queries causing MySQL error, when Elasticsearch is set as the search provider.
  • PRODSECBUG-2351: Arbitrary code execution via crafted sitemap creation - CVE-2019-7932: Attackers with access to user accounts that have admin privileges, can execute arbitrary code by creating a sitemap that includes a PHP filename within the XML filename.
  • PRODSECBUG-2266: Arbitrary code execution through malicious elastic search module configuration - CVE-2019-7885: Attackers with access to user accounts with privileges to configure the catalog search, can execute arbitrary code through malicious configuration of the Elastic search module.
For the full list of security updates released by Magento, please refer to the References section.

Affected Products

The security release contains updates for the following:

  • Magento 2.1 prior to 2.1.18
  • Magento 2.2 prior to 2.2.9
  • Magento 2.3 prior to 2.3.2
  • Magento Open Source prior to 1.9.4.2
  • Magento Commerce prior to 1.14.4.2
Impact

Successful exploitation of these vulnerabilities could allow an attacker to take control of the affected system and perform malicious activities, including modifying and installing programs; view, change, or delete data; or create new accounts with full user rights

Recommendations

Magento administrators are advised to update to the latest version immediately.

References