This post is meant to information you about the security updates released for all existing versions of Magento 1. These updates include 19 vulnerability enhancements, the majority of them are listed as “Medium” severity, but there are a number of “High” severity and two “Critical” issues as well. The top critical issues ensure that attackers will not be able to brute force their way into the admin panel via RSS nodes, and includes the removal of functionality which allowed customer credit card info to be stored in the database.
Several of the “High” and “Medium” issues prevent Remote Code Execution (RCE) in admin areas such as customer imports, CMS pages, video upload, API calls, and dataflows. There are also many that correct Cross-Site Scripting (XSS) opportunities with admin access in the Newsletter template settings, CMS previews with version history, image uploads, and even within Google Analytics configuration. Cross-Site Request Forgery (CSRF) issues have been patched in regards to customer group deletion via the GET requests from the Site Map and escalated privilege, and CSRF opportunities for mass Block deletion.
The remaining patch items include ensuring that Enterprise Edition corrected several areas where website, store and store group names were unescaped in templates, strengthening the customer wishlist module so that spamming is avoided, and allowing CAPTCHA to be enabled on the “Send to a Friend” feature to prevent bot attacks and maxing out mailer usage.
The 1.x updates also include low-security enhancements, such as older versions of jQuery causing PCI scans to fail and admin panels being accessible outside of a whitelist.
Some of the vulnerabilities below also apply to Magento 2.x, but we will detail those in a separate post.
This patch requires expedited release. While most of these vulnerabilities require at least limited Admin access, some of the most severe and high risk can be exploited by anonymous users. Those addressed in the patch/upgrade are present on production websites and the public disclosure of these vulnerabilities presents a risk for unpatched/outdated websites. Details for each entry are below.
|Vulnerability Code||Description||CVSSv3 Severity||Versions Affected|
|PRODSECBUG-1589||Stops Brute Force Requests via basic RSS authentication||9.0 (Critical)||1.9.3.x, 1.14.3.x|
|MAG-23||M1 Credit Card Storage Capability||9.0 (Critical)||1.9.3.x, 1.14.3.x|
|PRODSECBUG-2149||Authenticated RCE using customer import||8.5 (High)||1.9.3.x, 1.14.3.x|
|PRODSECBUG-2159||API Based RCE Vulnerability||8.5 (High)||1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x|
|PRODSECBUG-2156||RCE Via Unauthorized Upload||8.5 (High)||1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x|
|PRODSECBUG-2155||Authenticated RCE using dataflow||8.5 (High)||1.9.3.x, 1.14.3.x|
|PRODSECBUG-2053||Prevents XSS in Newsletter Template||6.5 (Medium)||1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x|
|PRODSECBUG-2142||XSS in CMS Preview||6.5 (Medium)||1.9.3.x, 1.14.3.x|
|PRODSECBUG-1860||Admin Account XSS Attack Cessation via Filename||6.5 (Medium)||1.9.3.x, 1.14.3.x|
|PRODSECBUG-2119||EE Patch to include names in templates||6.5 (Medium)||1.9.3.x, 1.14.3.x|
|PRODSECBUG-2129||XSS in Google Analytics Vulnerability||6.5 (Medium)||1.9.3.x, 1.14.3.x|
|PRODSECBUG-2019||Merchant Wishlist Security Strengthening||5.3 (Medium)||1.9.3.x, 1.14.3.x|
|PRODSECBUG-2104||Send to a Friend Vulnerability||5.3 (Medium)||1.9.3.x, 1.14.3.x|
|PRODSECBUG-2125||CSRF on deletion of Blocks Vulnerability||4.2 (Medium)||1.9.3.x, 1.14.3.x|
|PRODSECBUG-2088||CSRF Vulnerability related to Customer Group Deletion||4.2 (Medium)||1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x|
|PRODSECBUG-2140||CSRF on deletion of Site Map||4.2 (Medium)||1.9.3.x, 1.14.3.x|
|PRODSECBUG-2108||Outdated jQuery causing PCI scanning failures||0.0 (None)||1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x|
|MAG-12, MAG-2||Encryption Keys Stored in Plain Text||0.0 (None)||1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x|
|PRODSECBUG-2141||Unauthorized Admin Panel Bypass||0.0 (None)||1.9.3.x, 1.14.3.x|
All websites running Magento 1.9.3.x versions below 188.8.131.52, and all websites running Magento 1.14.3.x versions below 184.108.40.206 are affected.
The Magento community has identified a few issues with the latest 1.x patch. They are as follows:
- When secret keys are enabled, customer groups will no longer be able to be deleted from the admin panel, as a return is missing for the new Mage_Adminhtml_Block_Customer_Group_Edit::getDeleteUrl() method.
- Disabling the Magento_Sendfriend module will now result in an exception if you do not disable the Magento_Captcha module first.
- Template changes for the new Magento_Sendfriend CAPTCHA abilities were made only in the rwd/default theme package, and not in the base/default theme package. If your theme depends on base/default or you are using base/default then CAPTCHA will not be available without modification to these files.
Security Update: SUPEE-10975
Known Issues: Magento SX Thread