New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

SUPEE-10752

June 27, 2018

By: Magento Security Team,
Magento Security Team
Tags:

SUPEE-10752, Magento Commerce 1.14.3.9 and Open Source 1.9.3.9 contain multiple security enhancements that help close authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF) and other vulnerabilities.

Information on all the changes in 1.14.3.9 and 1.9.3.9 releases is available in the Magento Commerce and Magento Open Source release notes.

NOTE: Conflicts during installation of the patch SUPEE-10752 are caused most often by having version 1 of the previous patch installed (SUPEE-10570v1). Please make sure to remove SUPEE-10570v1 and install SUPEE-10570v2 prior to installation of SUPEE-10752.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.9: SUPEE-10752 or upgrade to Magento Commerce 1.14.3.9.

  • Magento Open Source 1.5.0.0-1.9.3.9: SUPEE-10752 or upgrade to Magento Open Source 1.9.3.9.

To download a patch or release, choose from the following options:

Partners:

Magento Commerce 1.14.3.9

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Version 1.x Releases > Version 1.14.3.9

SUPEE-10752

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – June 2018 

Magento Commerce Merchants:

Magento Commerce 1.14.3.9

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Version
1.x Releases > Version 1.14.3.9

SUPEE-10752

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – June 2018

Magento Open Source Merchants:

Magento Open Source 1.9.3.9

Magento Open Source Download Page > Release Archive Tab

SUPEE-10752

Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section

 

 

APPSEC-2001: Authenticated Remote Code Execution (RCE) using custom layout XML
Type:Remote Code Execution (RCE)
CVSSv3 Severity:9.8 (Critical)
Known Attacks:None
Description:

Admin users with permission to manage products can use custom layout XML to copy any file to any location.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9.
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:fabain
APPSEC-2015: Authenticated Remote Code Execution (RCE) through the Create New Order feature (Commerce only)
Type:Remote Code Execution (RCE)
CVSSv3 Severity:9.8 (Critical)
Known Attacks:None
Description:

Users with permission to generate sales orders from the Admin panel can use gift card functionality to manipulate request data and inject a malicious string that is later unserialized.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9.
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:Peter O'Callaghan
APPSEC-2042: PHP Object Injection and RCE in the Magento admin panel (Commerce Target Rule module)
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.9 (High)
Known Attacks:None
Description:

An administrator user with access to the Enterprise Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9, Magento 2.1 prior to 2.1.14
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752, Magento 2.1.14
Reporter:convenient
APPSEC-2029: PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce)
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.9 (High)
Known Attacks:None
Description:

An administrator user with access to the Commerce Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:convenient
APPSEC-2007: Authenticated SQL Injection when saving a category
Type:SQL Injection (SQLi)
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

By manipulating request data when saving a category, a user can insert a malicious string into the database that can be used in a subsequent request to perform SQL injection. This injected code can be used to trigger arbitrary (with the proviso they fit in the 255 char field) insert and update commands.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:Peter O'Callaghan
APPSEC-2027: CSRF is possible against Web sites, Stores, and Store Views
Type:Cross Site Request Forgery (CSRF)
CVSSv3 Severity:7.4 (High)
Known Attacks:None
Description:

Multiple CSRF vulnerabilities allow for deleting websites, stores or store views.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9, Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752, Magento 2.1.14, Magento 2.2.5
Reporter:boskostan
APPSEC-1882: The cron.php file can leak database credentials
Type:Security Implementation Flaw
CVSSv3 Severity:7.4 (High)
Known Attacks:None
Description:

The cron.php file can leak database credentials if it is not able to establish a connection to the database.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:mpchadwick
APPSEC-2006: Stored cross-site scripting (XSS) through the Enterprise Logging extension
Type:Cross Site Scripting (XSS) - stored
CVSSv3 Severity:6.5 (Medium)
Known Attacks:None
Description:

The `Enterprise_Logging` extension logs request data when save events are triggered on the website. This information is displayed to administrators with limited privileges that can view the audit log. Although these saved values are escaped before output, the keys are not, which makes it possible to insert cross-site scripting (XSS) on this page.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9, Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752, Magento 2.1.14, Magento 2.2.5
Reporter:Peter O'Callaghan
APPSEC-2005: Persistent Cross-Site Scripting (XSS) injection in Configuration table
Type:Cross Site Scripting (XSS) - stored
CVSSv3 Severity:6.5 (Medium)
Known Attacks:None
Description:

A user with access to an Admin account that includes ACL permissions to save the Shipping Methods section of the configuration table can insert cross-site scripting into the database that is subsequently output on every section of the `System > Configuration` table.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:Peter O'Callaghan
APPSEC-1880: Cross-Site Scripting (XSS) through the Admin Username in the CMS Revision Editor (Commerce only)
Type:Cross-Site Scripting (XSS)
CVSSv3 Severity:6.3 (Medium)
Known Attacks:None
Description:

A user with limited administrator permissions can execute scripts during an admin user session. This script will be executed when any user views this page on the storefront.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:mpchadwick
APPSEC-2004: Cross-Site Scripting (XSS) through Remote File Inclusion
Type:Cross-Site Scripting (XSS)
CVSSv3 Severity:6.3 (Medium)
Known Attacks:None
Description:

Users can use WYSIWYG directives to include valid remote images that have embedded malicious code that persists through image recreation.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:boskostan
APPSEC-1988: Path traversal vulnerability in templates
Type:Allowing Directory Traversal
CVSSv3 Severity:6.3 (Medium)
Known Attacks:None
Description:

A user can set a template without validating it through the use of a relatively unknown method on Varien_Object.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:Peter O'Callaghan
APPSEC-1987: Reflective cross-site scripting (XSS) through filter manipulation
Type:Cross-Site Scripting (XSS) - reflected
CVSSv3 Severity:6.1 (Medium)
Known Attacks:None
Description:

Arbitrary JavaScript can be triggered on the Sales Order page by manipulating one of the URL parameters.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:Peter O'Callaghan
APPSEC-2034: XSS in Admin Create Order Configure Product Via Compatible File Extensions
Type:Cross Site Scripting (XSS)
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator user can inject a malicious script into the file option type when creating a new product with a configurable option of type file. This script will then be executed when a user clicks Configure next to the product when creating an order.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:mpchadwick
APPSEC-1876: Cross-site scripting (XSS) in Admin Bundle Product Bundle Items Tab through Product SKU
Type:Cross Site Scripting (XSS)
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

Scripts in product SKUs are evaluated and executed when a user views the Bundle Items tab for a bundled product.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:mpchadwick
APPSEC-1874: Cross-Site Scripting (XSS) in the Admin Gift Registry Type Edit via Attribute Group
Type:Cross Site Scripting (XSS)
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

A user can inject a malicious script into the Attribute Group value that will be executed whenever a user views a Gift Registry Type in the Admin.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:mpchadwick
APPSEC-1872: Cross-Site Scripting (XSS) in the Admin Manage Catalog Events list through category name
Type:Cross Site Scripting (XSS)
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

Category names are not escaped when rendered on the Manage Catalog Events list, which results in a cross-site scripting (XSS) vulnerability.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:mpchadwick
APPSEC-1928: Stored XSS in Downloadable Product Links title - frontend
Type:Cross Site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator user with access to edit products can insert a malicious script into downloadable products. The malicious script can be triggered on the front-end and admin area.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:magecraze
APPSEC-1871: Cross-Site Scripting (XSS) in the Admin Manage Customer Rewards points history using the Reason field
Type:Cross Site Scripting (XSS)
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

Admin users with limited privileges can exploit the Reward Points History feature to inject cross-site scripting (XSS).

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:mpchadwick
APPSEC-1870: Cross-Site Scripting (XSS) in Admin Manage Invitations list through Invitee email address
Type:Cross Site Scripting (XSS)
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

A user without Admin credentials can inject cross-site scripting into the Admin role the Manage Invitations list for Admin users without "Manage Customers" permissions.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:mpchadwick
APPSEC-1972/APPSEC-2103: Admin password change does not force the logout of the Admin user
Type:Privilege Escalation & Enumeration
CVSSv3 Severity:4.3 (Medium)
Known Attacks:None
Description:

Password changes initiated from the Admin panel do not force a logout.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:-
APPSEC-1934: Systemic Cross-Site Request Forgery (CSRF) on the Checkout page
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:4.3 (Medium)
Known Attacks:None
Description:

A user can inject a cross-site request forgery (CSRF) into a users cart on the Checkout page due to a missing CSRF token.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:qqwedsawqeqw
APPSEC-1917: Password theft though uploaded video and Auth Prompt password theft vulnerability
Type:Security Misconfiguration
CVSSv3 Severity:4.3 (Medium)
Known Attacks:None
Description:

Users can exploit vulnerabilities in the Auth Password user password field and external video uploads to steal user passwords.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:todayisnew
APPSEC-1993: IP spoofing
Type:Privilege Escalation & Enumeration
CVSSv3 Severity:3.7 (Low)
Known Attacks:None
Description:

A vulnerability exists that permits the IP spoofing of a client’s address, which allows the potential bypassing of any security features that rely on identifying a client by their IP source.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9, Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752, Magento 2.1.14, Magento 2.2.5
Reporter:driskell

Please refer to Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.