Magento 2.1.18 is the last update for Magento 2.1.x and was released on June 26. It contains security enhancements to fix vulnerabilities, which allowed cross-site scripting, arbitrary code execution, and sensitive data disclosure. There were no confirmed attacks against those vulnerabilities, but you should install the update as soon as possible.
Security fixes and enhancements
- PaypalRecaptcha module adds Google reCAPTCHA to the Payflow Pro checkout form to prevent spam attacks. No additional configuration is needed to deploy this feature.
- Magento now uses the Image-Charts free service to render static charts in Admin dashboards.
- CGI URL gateway endpoint in the UPS module has been updated from HTTP to HTTPS in response to the disablement of the HTTP gateway by UPS in mid-2019.
- Magento modified the required permissions for updating the
designfieldset of categories, products, and CMS pages.
Fixed Vulnerabilities
- Arbitrary code execution through design layout update (PRODSECBUG-2296)
- Arbitrary code execution through product imports and design layout update (PRODSECBUG-2298)
- Arbitrary code execution via file upload (PRODSECBUG-2349)
- Security bypass via form data injection (PRODSECBUG-2202)
- Arbitrary code execution via malicious XML layouts (PRODSECBUG-2375)
- Remote code execution through crafted email templates (PRODSECBUG-2306)
- MySQL Error through crafted Elasticsearch query (PRODSECBUG-2350)
- Arbitrary code execution via crafted sitemap creation (PRODSECBUG-2351)
- Arbitrary code execution through malicious elastic search module configuration (PRODSECBUG-2266)
There are more security fixes with a CVSSv3 Severity under 9, but they are still very dangerous. You can find a complete list of the 75 fixed vulnerabilities on Magento Tech Resources.
Remember to create a backup before installing updates! Also, stay up to date to prevent your site getting hacked.
