October 2019 saw Magento Inc. release SUPEE-11219, a brand-new security patch to shield latest versions of Magento eCommerce platform.
Though there have been no known attacks against the present safety issues, Magento team is sharp to respond timely to your suggestions and findings, as well as to continuously test and track the performance of the platform to ensure vulnerability-free environment for any ecommerce business with far-reaching ambitions. The SUPEE-11219 security patch addresses, among other, remote code execution (RCE), cross-site scripting (XSS) and cross-site request forgery (CSRF) issues. These have been noticeably enhanced in Magento Commerce 18.104.22.168 and Open Source 22.214.171.124. At the same time you may opt for the patch and install it on your version of the platform.
More on recent security enhancements
Information on all the changes in 126.96.36.199 and 188.8.131.52 releases is available in the following release notes:
Opt for one of the following with regard to your Magento version, and ensure steadfast performance of your store:
|Magento Commerce 184.108.40.206-220.127.116.11||Install SUPEE-11219 or upgrade to Magento Commerce 18.104.22.168|
|Magento Open Source 22.214.171.124-126.96.36.199||Install SUPEE-11219 or upgrade to Magento Open Source 188.8.131.52|
A word of notice for Magento 2.1.x users
The Magento 2.2.10 software release marks the final supported software release for Magento version 2.1.x. As of June 30 2019, Magento 2.1.x will no longer receive security updates or product quality fixes now that its support window has expired.
Magento SUPEE-11219 security patch addresses the following vulnerabilities within remote code execution (RCE), cross-site scripting (XSS), cross-site requesting, etc:
- Remote code execution through crafted Page – CVE-2019-8144
An authenticated user with administrative privileges to import features can execute arbitrary code through a crafted configuration of file upload.
- Remote code execution via crafted support configuration modification - CVE-2019-8125
A remote code execution vulnerability exists in Magento 1 prior to 1.9.x and 1.14.x. An authenticated admin user can modify configuration parameters via crafted support configuration. The modification can lead to remote code execution.
- Remote code execution through support/output path modification (RCE) - CVE-2019-8230
An authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path.
- Remote code execution through catalog attribute sets (RCE) - CVE-2019-8231
An authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.
- Remote code execution via product layout update - CVE-2019-8091
A remote code execution vulnerability exists in Magento 1 prior to 184.108.40.206 and 220.127.116.11. An authenticated admin user with privileges to access product attributes can leverage layout updates to trigger remote code execution.
- Remote code execution through catalog attributes (RCE) - CVE-2019-8229
An authenticated user with administrative privileges to edit product attributes can execute arbitrary code through crafted layout updates.
- Remote code execution due to a race condition in the import feature (RCE) - CVE-2019-8232
An authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows configuring file modification via the web server.
- Sensitive information is available in HTTP requests - CVE-2019-8155
Magento included a user's CSRF token in the URL of a GET request. This could be exploited by an attacker with access to network traffic to perform unauthorized actions.
- Cross-site scripting through the WYSIWYG editor (XSS) - CVE-2019-8152
- Stored cross-site scripting through new profile action XML - CVE-2019-8227
- Stored cross-site scripting through transactional emails page when creating new email template - CVE-2019-8228
- Insufficient logging and monitoring of configuration changes - CVE-2019-8123
The logging feature that is required for effective monitoring did not contain sufficient data to effectively track configuration changes.