Despite being one of the most robust ecommerce platforms, Magento also encounters few security-related issues. And this is why Magento timely releases new versions and security patches aimed to guard against these vulnerabilities.
Magento has just released security updates along with other updates for the new versions of Magento Commerce and Open Source to exponentially increase product security, performance, and functionality:
- Magento Commerce and Open Source 2.3.1
- Magento Commerce and Open Source 2.2.8
- Magento Commerce and Open Source 2.1.17
- Magento Commerce 220.127.116.11
- Magento Open Source 18.104.22.168
- SUPEE-11086 to patch earlier Magento 1.x versions
There were several high CVSSv3 Severity issues found which affected the products Magento Open Source prior to 22.214.171.124, and Magento Commerce prior to 126.96.36.199, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1. Below are the high severity Magento vulnerabilities addresed by the latest security update:
Issue Type: Remote Code Execution (RCE)
|CVSSv3 Severity||Security Bug||Description|
|9.8||Remote code execution though crafted newsletter and email templates||An administrator user with access to the Braintree payment method configuration can trigger remote code execution through PHP object injection.|
|9.1:||Remote code execution through email template||An authenticated user with administrative privileges can execute arbitrary code through email templates|
|8.5||Arbitrary code execution due to unsafe deserialization of a PHP archive||An authenticated user with administrative privileges can execute arbitrary code through a Phar deserialization vulnerability.|
|8.5||Arbitrary code execution due to the unsafe handling of an API call to a core bundled extension. (Magento Shipping)||An authenticated user with privileges to configure store settings can execute arbitrary code execution through server-side request forgery.|
|8.5||An authenticated user with privileges to configure email templates can execute arbitrary code via a PHP archive deserialization vulnerability.||The upload settings for B2B quote files are vulnerable to remote code execution attacks.|
Issue Type: SQL Injection and cross-site scripting
|7.7||SQL Injection and cross-site scripting vulnerability in Catalog section (XSS)||An authenticated user can embed malicious code through a stored cross-site scripting vulnerability or an SQL injection vulnerability in the Catalog section by manipulating attribute_code.|
|7.2||SQL Injection vulnerability through an unauthenticated user||An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.|
|6.5||SQL injection due to inadequate validation of user input||An authenticated user with privileges to configure email templatescan execute arbitrary SQL queries.|
Issue Type: Cross Site Scripting
|6.5||Stored cross-site scripting in the Admin Customer Segments area||An authenticated user with privileges to the Customer Segments section of the Admin can use a stored cross site scripting vulnerability to embed malicious code.|
|6.3||Reflected cross-site scripting vulnerability in the Admin through the requisition list ID||An authenticated user with privileges to the Admin requisition list ID can use a cross-site scripting vulnerability to embed malicious code.|
|5.8||Stored cross-site scripting in the admin panel via the Admin Shopping Cart Rules page||An authenticated user with administrative privileges can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page.|
|5.8||Deletion of a product attribute through cross-site request forgery||An attacker can delete a product attribute within the context of authenticated administrator’s session through cross-site request forgery.|
|5.8||Site map deletion through cross-site request forgery||An attacker can delete the site map within the context of an authenticated administrator’s session through cross-site request forgery.|
|5.7||Deletion of synonym groups through a cross-site request forgery vulnerability||An attacker can delete all synonyms groups within the context of an authenticated administrator’s session through cross-site request forgery.|
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
If you’re interested in implementing the security patches or to upgrade your Magento site, reach out to Rave to quickly schedule a meeting with one of our Certified Magento Professionals who will coordinate a free Upgrade Assessment and estimate.