This post is meant to review all security updates released for all existing versions of Magento 2, including a new minor release with Magento 2.3.0. These updates cover 35 vulnerability enhancements, with the majority of them listed as “Medium” or “High” severity, but there are a couple of “Critical” issues included. The “Critical” severity vulnerabilities describe PHP Object Injection (POI) and Remote Code Execution (RCE) through the Braintree payment configuration, Varnish configuration, and design configuration admin areas.
The bulk of the patch is covered by “High” and “Medium” severity issues. A large portion of these closes the opportunity for RCE through such methods as path traversal, unauthorized file upload while creating downloadable products, upload settings in B2B quote files, API activation, video uploads, and the admin import feature. There are also many instances of Cross-Site Scripting (XSS) vulnerabilities through unsanitized url parameters, the shopping cart fields, customer coupon code fields, newsletter templates, product image/media uploads in the admin panel, admin alert messages in the store configuration settings, widgets, shopping cart settings, and attribute set group names.
The remaining vulnerabilities listed with “Medium” and “High” severity cover a combination of Cross-Site Request Forgery (CSRF) (ex. gift cards, RMA and other admin panels), Privilege Escalation (ex. notification feed, shopping cart price rules) and Information Leakage (ex. user.ini PHP settings, media players), most of which can only be exploited by authorized users but some that can be exploited by unauthorized users.
The 2.x updates also include low-security enhancements, such as older versions of jQuery causing PCI scans to fail, encryptions keys being stored in plain text, and vulnerabilities within AngularJS.
Some of the entries below also apply to Magento 1.x, but we will detail those in a separate document.
This update requires expedited release. While most of these vulnerabilities require at least limited Admin access, some of the most severe and high risk can be exploited by unauthorized users. Those addressed in the upgrade are present on production websites and the public disclosure of these vulnerabilities presents a risk for outdated websites. Details for each entry are below.
|Vulnerability Code||Description||CVSSv3 Severity||Versions Affected|
|PRODSECBUG-2123||PHP Object Injection (POI) and Remote Code Execution (RCE) in the Admin||9.1 (Critical)||2.1.x, 2.2.x|
|PRODSECBUG-2160||Unauthorized File Upload via Customer Attributes||9.0 (Critical)||2.1.x, 2.2.x|
|PRODSECBUG-2151||Remote Code Execution through Path Traversal||8.8 (High)||2.1.x, 2.2.x|
|PRODSECBUG-2154||Remote Code Execution through the Admin||8.5 (High)||2.1.x, 2.2.x|
|PRODSECBUG-2057||Remote Code Execution in Upload of Quote File||8.5 (High)||2.1.x, 2.2.x|
|PRODSECBUG-2157||Remote Code Execution Vulnerability in Race Condition||8.5 (High)||2.1.x, 2.2.x|
|PRODSECBUG-2159||API-Based Remote Code Execution Vulnerability||8.5 (High)||1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x|
|PRODSECBUG-2156||Remote Code Execution through Unauthorized File Upload||8.5 (High)||1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x|
|PRODSECBUG-2148||Remote Code Execution and Arbitrary Move File||8.5 (High)||2.1.x, 2.2.x|
|PRODSECBUG-2153||Unauthorized read permissions through Email Templates||7.7 (High)||2.1.x, 2.2.x|
|PRODSECBUG-2063||Bypass of Authorization Check by Unauthorized Users||7.2 (High)||2.1.x, 2.2.x|
|PRODSECBUG-2143||Cross-Site Scripting in the Swagger Generator through Unsanitized URL Parameter||7.1 (High)||2.1.x, 2.2.x|
|PRODSECBUG-2113||Vulnerability in Customer Shopping Cart||6.5 (Medium)||2.1.x, 2.2.x|
|PRODSECBUG-2030||Vulnerability in Staging Campaign Name||6.5 (Medium)||2.1.x, 2.2.x|
|PRODSECBUG-2053||Vulnerability in Newsletter Template||6.5 (Medium)||1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x|
|PRODSECBUG-1726||Customer Gift Card Vulnerability||6.5 (Medium)||2.1.x, 2.2.x|
|MAGETWO-91785||Vulnerability within Return Order Requests||6.3 (Medium)||2.1.x, 2.2.x|
|PRODSECBUG-2146||Remote Code Execution through the Product Media Upload in the Admin||6.0 (Medium)||2.1.x, 2.2.x|
|MAGETWO-90725||Vulnerability in Admin Alert Message||5.9 (Medium)||2.1.x, 2.2.x|
|PRODSECBUG-2138||Widget Based XSS Vulnerability||5.8 (Medium)||2.1.x, 2.2.x|
|PRODSECBUG-2126||Unauthorized Modification of the feed_url Configuration Setting||5.8 (Medium)||2.1.x, 2.2.x|
|PRODSECBUG-2152||ACL Bypass of Shopping Cart Price Rules||5.4 (Medium)||2.1.x, 2.2.x|
|PRODSECBUG-2136||Stored Cross-Site Scripting (XSS) in Admin||5.4 (Medium)||2.1.x, 2.2.x|
|MAGETWO-94370||Customer Bypass of Restrictions||5.4 (Medium)||2.1.x, 2.2.x|
|PRODSECBUG-1883||Leakage of Custom PHP settings from .user.ini File||5.3 (Medium)||2.1.x, 2.2.x|
|PRODSECBUG-2131||Bypass of Authorization Possible through Vulnerability in render_handle||5.0 (Medium)||2.1.x, 2.2.x|
|PRODSECBUG-2071||Vulnerability in Cart||4.8 (Medium)||2.1.x, 2.2.x|
|PRODSECBUG-1917||Password Protection via External Auth Injection||4.3 (Medium)||2.1.x, 2.2.x|
|PRODSECBUG-1505||Vulnerability for Authenticated Users||4.3 (Medium)||2.1.x, 2.2.x|
|MAGETWO-95681||Cross Site Data Leakage||4.3 (Medium)||2.1.x, 2.2.x|
|PRODSECBUG-2069||Vulnerability in Attribute Group Name||4.2 (Medium)||2.1.x, 2.2.x|
|PRODSECBUG-2088||CSRF Vulnerability related to Customer Group Deletion||4.2 (Medium)||1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x|
|PRODSECBUG-2108||Outdated jQuery Causes PCI Scanning Failure||0.0 (None)||1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x|
|MAG-12, MAG-2||Encryption Keys Stored in Plain Text||0.0. (None)||1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x|
|PRODSECBUG-2074||AngularJS and Setup Application are Vulnerable||0.0 (None)||2.1.x, 2.2.x|
All websites running Magento 2.x versions below 2.3.0 including Magento 2.1.x versions below 2.1.16, and Magento 2.2.x versions below 2.2.7 are affected.
No known issues have been detailed at this time by the Magento Community for the newest security update. We will continue to monitor the appropriate channels for future issues.
Security Update: 2.1.16 & 2.2.7 Security Update
Blog Posts: Magento 2.3.0 Announcement