Magento, one of the most favored e-commerce platforms, is often a target for cyber-criminals. Its huge popularity owes to its strict security practices, a timely update of system core and immediate fixes to security issues. Magento’s latest security update contains multiple security enhancements. These updates relate to the Magento Open Source (formerly Community Edition) and Magento Commerce (formerly Enterprise Edition).
- Magento Open Source and Magento Commerce 2.1.9
- Magento Open Source and Magento Commerce 2.0.16
- Magento Commerce 1.14.3.5
- Magento Open Source 1.9.3.6
- Magento SUPEE-10266 (patch for earlier Magento 1.x versions)
Magento Open Source 1.9.3.6 and SUPEE-10266
SUPEE-10266, Magento Commerce 1.14.3.6 and Open Source 1.9.3.6 contain nearly 40 security changes and enhancements, providing fixes for several functional and multiple critical security issues. These updates would be effective in tackling cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities.
This release addresses the following functional issues:
- Gain of Magento administrator privileges using RSS session admin cookie
- Remote Code Execution vulnerability in CMS and layouts
- Exposure of Magento secret key
- Directory traversal in template configuration
- CSRF + Stored Cross Site Scripting (customer group)
- Admin Notification Stored XSS
- CSRF + Stored Cross Site Scripting in newsletter template
- XSS in admin order view using order status label in Magento
- Order Item Custom Option Disclosure
- Admin login does not handle autocomplete feature correctly
Magento Open Source 2.1.9 and 2.0.16
Magento Commerce and Open Source 2.1.9 and 2.0.16 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities.
Few of the vulnerabilities addressed by this version are:
- Remote Code Execution vulnerability in CMS and layouts
- Arbitrary File Disclosure
- Lack of input sanitization
- CSRF + Stored Cross Site Scripting (customer group)
- Two different sessions authenticated in customer login
- CSRF + Stored Cross Site Scripting in newsletter template
- Incorrect expiration of API token
- Anonymous users can view upgrade progress updates
- Full Path Disclosure Web Root Directory
- Mishandling of autocomplete feature by admin login
- Customer email enumeration through frontend login
Astra highly recommends all Magento users and developers to upgrade their Magento stores to the above versions as soon as possible. A general advice would be to test the new version or the patch first to check for any issues before deploying onto your site. Refer to this How to install Magento SUPEE-10266 guide.
Looking for a full proof solution which protects your store 24×7? Give Astra a spin: Astra Magento Plugin.