Experts Need expert help? Don’t hesitate to talk.
With the advent of technologies, hackers and malicious elements on the web also are becoming more offensive and find out unimaginative ways to attack innocent merchants and others where they see low hanging fruits in the form of raised vulnerabilities.
Therefore, active Magento community constantly tries to remove possible vulnerabilities and provide round-the-clock security on the open Internet highway. Regular upgrades in Magento core code are releasing on the Magento platform and known as Security Patches.
Recommended Read: Various SUPEE Security Patches to Bulletproof your Magento Store
Recently, Magento Developers on the official Magento platform has released the latest Magento security patches known as SUPEE-10415. The latest security patches are addressing several issues collectively such as CSRF (Cross-Site Request Forgery), DoS (Denial of Service), RCE (Remote Code Execution), and fix for SOAP v1 interaction in WSDL.
These patches are for Magento Commerce 1.9.0.0 -1.14.3.7 & Magento Open Source 1.5.0.0-1.9.3.7 versions otherwise, you have to upgrade your older version to get benefits of these security patches.
If you have not installed the latest security patches SUPEE-10415, please check admin inbox of your Magento store and secure your e-commerce site from the following possible vulnerabilities or attacks.
- Denial-of-Service (DOS):
When a site visitor creates an account and one of the parameters, create the server denial-of-service.
- Cross-Site Scripting (XSS, stored):
The possibility is that an admin with limited privileges can insert the script in product and its short descriptions that can affect other site users.
- Cross-Site Scripting (XSS, stored):
It is similar to above, but admin with limited privileges insert the script in Visual Merchandiser system.
- Remote Code Execution (RCE):
An admin can insert injectable code in promo fields and allows arbitrary RCE.
- Patch Fix:
It is addressing the issue affecting a small number of customers.
- Remote Code Execution (RCE):
An admin can inject the malformed configuration bypass that leads to the file redirection.
- Cross-Site Scripting (XSS, stored):
An admin can inject XSS by creating a page in CMS.
- Remote Code Execution (RCE):
An admin can create a CMS page that parsed incorrectly and leads to arbitrary RCE.
- Cross-Site Scripting (XSS, stored):
An admin can create Billing Agreement with embedded XSS.
- Remote Code Execution (RCE):
An admin can insert a widget block infected with a malicious script for RCE attacks.
- Remote Code Execution (RCE):
An admin can insert injectable code in promo fields.
If you are interested in technical details, We are going to provide all in a tabular format below.
| APPSEC Updates | CVSSv3 Severity Level | Security Issue | Products Affected | Fixed In |
| APPSEC-1330 | 6.7 (Medium) | Non-sanitized input is leading to a denial of service. | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
| APPSEC-1885 | 6.6 (Medium) | Stored XSS in Product Descriptions. | The same as above. | The same as above. |
| APPSEC-1892 | 6.1 (Medium) | Stored XSS in Visual Merchandiser. | The same as above. | The same as above. |
| APPSEC-1894 | 8.2 (High) | Remote Code Execution by leveraging unsafe non-serialization. | The same as above. | The same as above. |
| APPSEC-1897 | None | Fix WSDL based patching to work with SOAP V1. | The same as above. | The same as above. |
| APPSEC-1913 | 7.2 (High) | Remote Code Execution through Configuration Manipulation. | The same as above. | The same as above. |
| APPSEC-1914 | 6.1 (Medium) | Stored XSS in CMS Page Area. | The same as above. | The same as above. |
| APPSEC-1915 | 8.2 (High) | Remote Code Execution in CMS Page Area. | The same as above. | The same as above. |
| APPSEC-1325 | 5.5 (Medium) | Stored XSS in Billing Agreements. | The same as above. | The same as above. |
| APPSEC-1830 | 8.2 (High) | PHP Object Injection in product attributes leading to Remote Code Execution. | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 before 2.0.17, Magento 2.1 before 2.1.10, Magento 2.2 | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1 |
| APPSEC-1861 | 8.2 (High) | PHP Object Injection in product entries leading to Remote Code Execution. | The same as above. | The same as above. |
Message for Magento Merchants:
After exploring the table, you may have seen that some of the security issues are critical while some are moderate yet need to pay attention. If you are new on Magento eCommerce platform and want to know how to install or integrate such security issues, we have prepared a thorough guide for you, and it is available on our blog post “Installing Magento Patches in Different Ways” as well as on Magento official website.
One thing you should keep in mind while implementing these security patches that it will take some time to integrate, so keep patience, please. If you are enough tech-savvy and interested in going through the official details, please visit https://magento.com/security/patches/supee-10415.
If you have any issue installing the patches or would like to make your Magento storefront somewhat more secure, we request you to start a dialog with our “Magento Support Center” and get an instant response.
Do you worried about the regular and continuously releases of new security patches for your Magento store? Now, shift your stress to the Mconnect! Just buy Magento website maintenance package and the support team will manage the rest of things. It is powerful way to remind instantly about the new release of Magento security patches as well as install the patches automatically when available publicly.
