Despite being one of the most robust ecommerce platforms, Magento also encounters few security-related issues. And this is why Magento timely releases new versions and security patches aimed to guard against these vulnerabilities.

Magento has just released security updates along with other updates for the new versions of Magento Commerce and Open Source to exponentially increase product security, performance, and functionality:

    • Magento Commerce and Open Source 2.3.1
    • Magento Commerce and Open Source 2.2.8
    • Magento Commerce and Open Source 2.1.17
    • Magento Commerce 1.14.4.1
    • Magento Open Source 1.9.4.1
    • SUPEE-11086 to patch earlier Magento 1.x versions

There were several high CVSSv3 Severity issues found which affected the products Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1. Below are the high severity Magento vulnerabilities addresed by the latest security update:

Issue Type: Remote Code Execution (RCE)

CVSSv3 SeveritySecurity BugDescription
9.8Remote code execution though crafted newsletter and email templatesAn administrator user with access to the Braintree payment method configuration can trigger remote code execution through PHP object injection.
9.1:Remote code execution through email templateAn authenticated user with administrative privileges can execute arbitrary code through email templates
8.5Arbitrary code execution due to unsafe deserialization of a PHP archiveAn authenticated user with administrative privileges can execute arbitrary code through a Phar deserialization vulnerability.
8.5Arbitrary code execution due to the unsafe handling of an API call to a core bundled extension. (Magento Shipping)An authenticated user with privileges to configure store settings can execute arbitrary code execution through server-side request forgery.
8.5An authenticated user with privileges to configure email templates can execute arbitrary code via a PHP archive deserialization vulnerability.The upload settings for B2B quote files are vulnerable to remote code execution attacks.

Issue Type: SQL Injection and cross-site scripting

CVSSv3 SeveritySecurity BugDescription
7.7SQL Injection and cross-site scripting vulnerability in Catalog section (XSS)An authenticated user can embed malicious code through a stored cross-site scripting vulnerability or an SQL injection vulnerability in the Catalog section by manipulating attribute_code.
7.2SQL Injection vulnerability through an unauthenticated userAn unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.
6.5SQL injection due to inadequate validation of user inputAn authenticated user with privileges to configure email templatescan execute arbitrary SQL queries.

Issue Type: Cross Site Scripting

CVSSv3 SeveritySecurity BugDescription
6.5Stored cross-site scripting in the Admin Customer Segments areaAn authenticated user with privileges to the Customer Segments section of the Admin can use a stored cross site scripting vulnerability to embed malicious code.
6.3Reflected cross-site scripting vulnerability in the Admin through the requisition list IDAn authenticated user with privileges to the Admin requisition list ID can use a cross-site scripting vulnerability to embed malicious code.
5.8Stored cross-site scripting in the admin panel via the Admin Shopping Cart Rules pageAn authenticated user with administrative privileges can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page.
5.8Deletion of a product attribute through cross-site request forgeryAn attacker can delete a product attribute within the context of authenticated administrator’s session through cross-site request forgery.
5.8Site map deletion through cross-site request forgeryAn attacker can delete the site map within the context of an authenticated administrator’s session through cross-site request forgery.
5.7Deletion of synonym groups through a cross-site request forgery vulnerabilityAn attacker can delete all synonyms groups within the context of an authenticated administrator’s session through cross-site request forgery.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.

If you’re interested in implementing the security patches or to upgrade your Magento site, reach out to Rave to quickly schedule a meeting with one of our Certified Magento Professionals who will coordinate a free Upgrade Assessment and estimate.