Magento SUPEE-10415
SUPEE-10415, Magento Commerce 1.14.3.7 and Open Source 1.9.3.7 contain multiple security enhancements that help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities. These releases also include a fix for a prior customers that had experienced issues patching caused by SOAP v1 interactions in WSDL.
Information on all the changes in 1.14.3.7 and 1.9.3.7 releases is available in the Magento Commerce and Magento Open Source release notes.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 1.9.0.0-1.14.3.7: SUPEE-10415 or upgrade to Magento Commerce 1.14.3.7.
- Magento Open Source 1.5.0.0-1.9.3.7: SUPEE-10415 or upgrade to Magento Open Source 1.9.3.7.
APPSEC-1330: Unsanitized input leading to denial of service | |
---|---|
Type: | Denial-of-Service (DOS) |
CVSSv3 Severity: | 6.7 (Medium) |
Known Attacks: | None |
Description: | A site visitor can create an account where one of the parameters will create a server denial-of-service. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | Internal |
APPSEC-1885: Stored XSS in Product Descriptions | |
---|---|
Type: | Cross-Site Scripting (XSS, stored) |
CVSSv3 Severity: | 6.6 (Medium) |
Known Attacks: | None |
Description: | An administrator with limited privileges can insert script in product and short descriptions, potentially resulting in a stored cross-site scripting that affects site users. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | hodollsoft |
APPSEC-1892: Stored XSS in Visual Merchandiser | |
---|---|
Type: | Cross-Site Scripting (XSS, stored) |
CVSSv3 Severity: | 6.1 (Medium) |
Known Attacks: | None |
Description: | An administrator with limited privileges can create a stored-cross site scripting attack in the Visual Merchaniser system. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | magecraze |
APPSEC-1894: Remote Code Execution by leveraging unsafe unserialization | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.2 (High) |
Known Attacks: | None |
Description: | An administrator with limited privileges can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | pocallaghan |
APPSEC-1897: Fix WSDL based patching to work with SOAP V1 | |
---|---|
Type: | Patch Fix |
CVSSv3 Severity: | None |
Known Attacks: | None |
Description: | Addresses an issue affecting a small number of customers to enable two prior patches to handle SOAP v1 interactions in WSDL. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | Internal |
APPSEC-1913: Remote Code Execution through Config Manipulation | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 7.2 (High) |
Known Attacks: | None |
Description: | An administrator with limited privileges can inject a malformed configuration bypass leading to a file redirection that can be leveraged in to arbitrary remote code execution. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | pocallaghan |
APPSEC-1914: Stored XSS in CMS Page Area | |
---|---|
Type: | Cross-Site Scripting (XSS, stored) |
CVSSv3 Severity: | 6.1 (Medium) |
Known Attacks: | None |
Description: | An administrator with limited privileges can create a page within the Content Management System (CMS) with an embedded cross-site scripting attack. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | pocallaghan |
APPSEC-1915: Remote Code Execution in CMS Page Area | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.2 (High) |
Known Attacks: | None |
Description: | An administrator with limited privileges can create a specially crafted CMS page that can be parsed incorrectly, potentially leading to an arbitrary remote code execeution. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
Reporter: | pocallaghan |
APPSEC-1325: Stored XSS in Billing Agreements | |
---|---|
Type: | Cross-Site Scripting (XSS, stored) |
CVSSv3 Severity: | 5.5 (Medium) |
Known Attacks: | None |
Description: | An administrator with limited privileges can create Billing Agreements with embedded cross-site scripting elements that can subsequently lead to a stored cross-site scripting attack. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2 |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1 |
Reporter: | pocallaghan |
APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.2 (High) |
Known Attacks: | None |
Description: | An administrator with limited privileges can insert a widget block containing malicious code, creating an opportunity for arbitrary remote code execution. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2 |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1 |
Reporter: | fabian |
APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.2 (High) |
Known Attacks: | None |
Description: | An administrator with limited privileges can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution. |
Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2 |
Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1 |
Reporter: | fabian |