MAGENTO SECURITY PATCH SUPEE-11155 RELEASED
Categorized as : Security Patches
Magento Inc. announces new patch to eliminate a number of acute errors and vulnerabilities in cross-site operations. SUPEE-11155 to stand guard over your Magento store.
Magento has always kept a sharp eye on security and performance issues of the platform. The team guarantees safest environment for any ecommerce business with far-reaching ambitions. A timely and powerful security patch SUPEE-11155 proves the best of Magento maintenance services. The patch contains multiple security enhancements which help close remote code execution, cross-site scripting, cross-site request forgery and other vulnerabilities.
Opt today for one of the following with regard to your Magento version, and ensure steadfast performance of the store:
Install SUPEE-11155 or upgrade to Magento Commerce 1.14.4.2 | |
Install SUPEE-11155 or upgrade to Magento Open Source 1.9.4.2 |
List of high CVSSv3 severity issues addressed by the present security patch:
- Arbitrary code execution in the advanced admin logging configuration – CVE-2019-7893
A user with administrator privileges and access to the advanced admin logging configuration can trigger remote code execution via PHP Object Injection. - Arbitrary code execution by importing malicious dataflow profiles – CVE-2019-7884
An authenticated user with privileges to edit block permission, import dataflow functionality, and modify CMS content can execute arbitrary code by importing malicious dataflow profiles. - Arbitrary code execution via crafted sitemap creation – CVE-2019-7932
An authenticated user with admin privileges to create sitemaps can execute arbitrary code by crafted filenames that include php extension within the XML filename. - PHP Object Injection in the Currency setup feature can lead to arbitrary code execution – CVE-2019-7914
A PHP Object Injection vulnerability in the currency setup feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code. - PHP Object Injection in the Admin Actions Logging feature can lead to arbitrary code execution – CVE-2019-7946
A PHP Object Injection vulnerability in the admin actions logging configuration feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code. - PHP Object Injection in the Model Design Package can lead to arbitrary code execution – CVE-2019-7906
A PHP Object Injection vulnerability in the model design package can be exploited by an authenticated user with administrator privileges to execute arbitrate code. - PHP Object Injection in the Enterprise Logging feature can lead to arbitrary code execution – CVE-2019-7905
A PHP Object Injection vulnerability in the enterprise logging configuration feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code. - Remote code execution via dataflow import and catalog functionality – CVE-2019-7952
An authenticated user with admin privileges can execute arbitrary code via layout upates when using crafted combination of data flow import and catalog categories. - Arbitrary code execution due to unsafe handling of system configuration – CVE-2019-7911
An authenticated user with admin privileges to manipulate system configuration can execute arbitrary code through server-side request forgery. - Arbitrary code execution due to unsafe handling of payment bridge gateway – CVE-2019-7910An authenticated user with admin privileges to manipulate payment methods can execute arbitrary code through server-side request forgery.
- Arbitrary code execution due to unsafe deserialization of configuration fields – CVE-2019-7907
An authenticated user with configuration privileges can execute arbitrary code due to unserialization of user controlled configuration values. - Stored cross-site scripting in admin panel – CVE-2019-7909
A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. - Stored cross-site scripting in the admin panel – CVE-2019-7875
A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. - Stored cross-site scripting in the admin panel – CVE-2019-7933
A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.
Source: Magento