Despite being one of the most robust ecommerce platforms, Magento presents some security related issues to the users. And this is why Magento timely releases new versions and security patches aimed to guard against these vulnerabilities.
Magento has released the latest security updates primarily for Magento Commerce and Open Source 2.3.0, 2.2.7 and 2.1.16. The versions contain multiple security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.

  • Magento Commerce and Open Source 2.3.0
  • Magento Commerce and Open Source 2.2.7
  • Magento Commerce and Open Source 2.1.16
  • Magento Commerce 1.14.4.0
  • Magento Open Source 1.9.4.0
  • SUPEE-10975 to patch earlier Magento 1.x versions

There were several high CVSSv3 Severity issues found which affected the products Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7. Below are the few bugs:

Issue Type: Remote Code Execution (RCE)

CVSSv3 SeveritySecurity BugDescription
9.1PHP Object Injection (POI) and Remote Code Execution (RCE) in the Magento 2.1.15 AdminAn administrator user with access to the Braintree payment method configuration can trigger remote code execution through PHP object injection.
9.1:PHP Object Injection (POI) and Remote Code Execution (RCE) in the AdminAn administrator with access to Varnish configuration settings and the design configuration can trigger remote code execution through PHP object instantiation.
8.8Remote Code Execution through Path TraversalAdministrators with limited privileges can upload an unauthorized template using the path traversal capability.
8.5Remote Code Execution through the AdminA user can upload unauthorized files while creating a downloadable product.
8.5Remote Code Execution in Upload of Quote FileThe upload settings for B2B quote files are vulnerable to remote code execution attacks.
8.5Remote Code Execution Vulnerability in Race ConditionAn unauthorized file download can be used to remotely execute code.
8.5API-Based Remote Code Execution VulnerabilityBy activating an API that supports the ability to add products, a malicious user can send base64-encoded content to an unauthorized file and use it to remotely execute code.
8.5API-Based Remote Code Execution VulnerabilityBy activating an API that supports the ability to add products, a malicious user can send base64-encoded content to an unauthorized file and use it to remotely execute code.

Issue Type: Privilege Escalation

7.7Unauthorized read permissions through Email TemplatesA malicious user could use special characters in this content to circumvent the CSS directive that allows the CSS file to be loaded directly to the body of the content.
7.2Bypass of Authorization Check by Unauthorized UsersAn unauthorized user can access user data by rendering arbitrary code blocks.
6.5Vulnerability in Customer Shopping CartThe customer shopping cart and coupons are vulnerable to cross-site scripting attacks

Issue Type: Cross-Site Request Forgery (CSRF)

6.5Customer Gift Card VulnerabilityCustomer gift cards are vulnerable to brute-force and cross-site request forgery attacks during redeem a gift card and check balance and sales actions.
6.5Vulnerability within Return Order RequestsReturn merchandise authorizations (RMA) are vulnerable to cross-site request forgeries.
6Remote Code Execution through the Product Media Upload in the AdminA path traversal vulnerability permits folder creation at arbitrary locations and file deletion from arbitrary locations in the Admin product image/media upload area.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.

If you’re interested in implementing the security patches or to upgrade your Magento site, reach out to Rave to quickly schedule a meeting with one of our Certified Magento Professionals who will coordinate a free Upgrade Assessment and estimate.