Magento Security Update 2.0.16 & 2.1.9

Geschreven door Ray Bogman.

security releaseOnlangs zijn er 34 veiligheidslekken in Magento 2.0.x en 2.1.x ontdekt en opgelost in een patch. De lekken zijn aanwezig in alle versies van Magento 2.0.x en 2.1.x, zowel Magento Open Source (voorheen Magento Community) als Magento Commerce (voorheen Magento Enterprise) shops hebben hiermee te maken. Officieel zijn er enkel patches beschikbaar voor de Magento 2.0 en Magento 2.1 reeks.

Wat zijn de 34 lekken van Magento 2?

  • APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts
    • CVSSv3 Severity: 8.2 (Critical)
  • APPSEC-1887: Arbitrary File Disclose
    • CVSSv3 Severity: 7.8 (High)
  • APPSEC-1850: Arbitrary File Delete
    • CVSSv3 Severity: 6.8 (High)
  • APPSEC-1851: Arbitrary file delete + Lack of input sanitization leading to Remote Code Execution
    • CVSSv3 Severity: 6.8 (High)
  • APPSEC-1567: Order history disclosure
    • CVSSv3 Severity: 6.7 (Medium)
  • APPSEC-1769: Overwrite a Relative Path in Sitemap
    • CVSSv3 Severity: 6.5 (Medium)
  • APPSEC-1713: Setup pages expose sensitive data
    • CVSSv3 Severity: 6.4 (Medium)
  • APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group)
    • CVSSv3 Severity: 6.0 (Medium)
  • APPSEC-1482: Security Issue with referrer
    • CVSSv3 Severity: 5.9 (Medium)
  • APPSEC-1502: Stored XSS - Add new group in Attribute set name
    • CVSSv3 Severity: 5.9 (Medium)
  • APPSEC-1494: AdminNotification Stored XSS
    • CVSSv3 Severity: 5.9 (Medium)
  • APPSEC-1793: Potential file uploads solely protected by .htaccess
    • CVSSv3 Severity: 5.8 (Medium)
  • APPSEC-1819: Customer login authenticates two different sessions
    • CVSSv3 Severity: 5.8 (Medium)
  • APPSEC-1802: Customer registration through frontend does not have anti-CSRF protection
    • CVSSv3 Severity: 5.8 (Medium)
  • APPSEC-1493: CMS Page Title Stored XSS
    • CVSSv3 Severity: 5.8 (Medium)
  • APPSEC-1755: Anti-CSRF form_key is not changed after login
    • CVSSv3 Severity: 5.8 (Medium)
  • APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template
    • CVSSv3 Severity: 5.5 (Medium)
  • APPSEC-1729: XSS in admin order view using order status label in Magento
    • CVSSv3 Severity: 5.5 (Medium)
  • APPSEC-1775: Stored Cross-Site Scripting in email template bypass
    • CVSSv3 Severity: 5.5 (Medium)
  • APPSEC-1591: Stored XSS on product thumbnail
    • CVSSv3 Severity: 5.5 (Medium)
  • APPSEC-1896: Possible XSS in admin order view using order code label
    • CVSSv3 Severity: 5.5 (Medium)
  • APPSEC-1673: Stored xss using svg images in Favicon
    • CVSSv3 Severity: 5.5 (Medium)
  • APPSEC-1773: Injection on Page leading to DoS
    • CVSSv3 Severity: 5.5 (Medium)
  • APPSEC-1577: Stored XSS in integration activation
    • CVSSv3 Severity: 5.5 (Medium)
  • APPSEC-1510: Any admin user can upload Favicon Icon
    • CVSSv3 Severity: 5.5 (Medium)
  • APPSEC-1545: Stored XSS through customer group name in admin panel
    • CVSSv3 Severity: 5.5 (Medium)
  • APPSEC-1535: Access Control Lists not validated when using quick edit mode in tables
    • CVSSv3 Severity: 5.0 (Medium)
  • APPSEC-1588: Order Item Custom Option Disclosure
    • CVSSv3 Severity: 4.9 (Medium)
  • APPSEC-1701: API token does not correctly expire
    • CVSSv3 Severity: 4.9 (Medium)
  • APPSEC-1630: Anonymous users can view upgrade progress updates
    • CVSSv3 Severity: 4.8 (Medium)
  • APPSEC-1628: Full Path Disclosure Web Root Directory
    • CVSSv3 Severity: 4.4 (Medium)
  • APPSEC-1599: Admin login does not handle autocomplete feature correctly
    • CVSSv3 Severity: 4.1 (Medium)
  • APPSEC-1709: Customer email emumeration through frontend login
    • CVSSv3 Severity: 3.9 (Low)
  • APPSEC-1495: Any user can interact with the sales order function despite not being authorized
    • CVSSv3 Severity: 3.8 (Low)

Belangrijk!

Gebruik Magento 2.0.16 of 2.1.9 CE of EE voor alle nieuwe Community of Enterprise installaties en upgrades om zo de nieuwste verbeteringen, features en beveiligingsupdates te krijgen.

Wat moet ik doen om Magento Security issues te bestrijden?

Wij raden onze klanten zo spoedig mogelijk te patchen.

Wij doen dat graag voor u. Mail ons via ons supportaanvraagformulier of bel ons op 020 337 59 61.

Via de Magento 2 CLI of Magento 2 setup GUI is het mogelijk de Magento 2 security patch te installeren. Maak altijd eerst een backup van de database en bestanden voor de patch wordt geïmplementeerd.

meer info   of   

Bel nu! 020 337 5961

Ray BogmanDit artikel is geschreven door Ray Bogman, mede-oprichter van SupportDesk en vervult zijn rol als Technisch Directeur.

Google+ | LinkedIn | Twitter

Are u ready 4 Magento 2?

Are u ready 4 Magento 2?

Are you currenty using Magento 1, and looking forward to continue your business using the latest functionality in ecommerce, than Magento 2 is ready for you.

Magento 2 is a brand new platform and ready to serve your ecommerce needs now and in the future.

more info

Stel je vraag

Stel je vraag

Stap 1. Impact analyse

Stap 1. Impact analyse

Stap 2. Pre-paid ticket

Stap 2. Pre-paid ticket

Stap 3. Uitvoeren

Stap3: Uitvoeren

Bel nu! 020 337 5961

SupportDesk B.V.
Hogehilweg 19
1101 CB Amsterdam

E-mail: support @ supportdesk.nu

meer gegevens