On September 14 a new Magento security patch was released. It fixes almost 40 issues and improves the security against cross-site request forgery vulnerabilities. The security patch is in version 1.9.3.6, 2.0.16 and 2.1.9. It’s important that this update is installed as soon as possible, because the vulnerabilities which are closed in this update are already being exploited. More about the update can be found in the Magento Tech Resources.
The fixed security issues:
- APPSEC-1838: RSS session admin cookie can be used to gain Magento administrator privileges.
- APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts
- APPSEC-1835: Exposure of Magento secret key from app/etc/local.xml
- APPSEC-1757: Directory traversal in template configuration
- APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group)
- APPSEC-1494: AdminNotification Stored XSS
- APPSEC-1793: Potential file uploads solely protected by .htaccess
- APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template
- APPSEC-1729: XSS in admin order view using order status label in Magento
- APPSEC-1579: Customer Segment Delete Action uses GET instead of POST request
- APPSEC-1588: Order Item Custom Option Disclosure
- APPSEC-1599: Admin login does not handle autocomplete feature correctly
- APPSEC-1688: Secure cookie check to prevent MITM not expiring user sessions
The additional fixes and enhancements for Magento 2.0.16 and 2.1.9
- Magento added support for the change to the USPS API that USPS implemented on September 1, 2017. After installing or upgrading to this release, the discontinued First-Class Mail Parcel service will change to First-Class Package Service – Retail.
- Magento now logs all expected exception information in the
exception.logfile when a payment transaction fails. - Magento changed how it displays status updates during a product upgrade. Previously, potentially vulnerable information such as full paths and module names were displayed in the product GUI, potentially exposing this information to a malicious user. Magento now restricts this potentially vulnerable information to logs that are available to administrators only.
Remember to create a backup before installing an update.
(Beitragsbild von peshkova)
