SUPEE-11155, Magento Commerce 1.14.4.2 and Open Source 1.9.4.2 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.4.1: SUPEE-11155 or upgrade to Magento Commerce 1.14.4.2.
  • Magento Open Source 1.5.0.0-1.9.4.1: SUPEE-11155 or upgrade to Magento Open Source 1.9.4.2.

List of High CVSSv3 Severity Issues Addressed by this Security Patch

  • Arbitrary code execution in the advanced admin logging configuration – CVE-2019-7893
    A user with administrator privileges and access to the advanced admin logging configuration can trigger remote code execution via PHP Object Injection.
  • Arbitrary code execution by importing malicious dataflow profiles – CVE-2019-7884 An authenticated user with privileges to edit block permission, import dataflow functionality, and modify CMS content can execute arbitrary code by importing malicious dataflow profiles.
  • Arbitrary code execution via crafted sitemap creation – CVE-2019-7932
    An authenticated user with admin privileges to create sitemaps can execute arbitrary code by crafted filenames that include php extension within the XML filename.
  • PHP Object Injection in the Currency setup feature can lead to arbitrary code execution – CVE-2019-7914
    A PHP Object Injection vulnerability in the currency setup feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.
  • PHP Object Injection in the Admin Actions Logging feature can lead to arbitrary code execution – CVE-2019-7946
    A PHP Object Injection vulnerability in the admin actions logging configuration feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.
  • PHP Object Injection in the Model Design Package can lead to arbitrary code execution – CVE-2019-7906
    A PHP Object Injection vulnerability in the model design package can be exploited by an authenticated user with administrator privileges to execute arbitrate code.
  • PHP Object Injection in the Enterprise Logging feature can lead to arbitrary code execution – CVE-2019-7905
    A PHP Object Injection vulnerability in the enterprise logging configuration feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.
  • Remote code execution via dataflow import and catalog functionality – CVE-2019-7952
    An authenticated user with admin privileges can execute arbitrary code via layout upates when using crafted combination of data flow import and catalog categories.
  • Arbitrary code execution due to unsafe handling of system configuration – CVE-2019-7911
    An authenticated user with admin privileges to manipulate system configuration can execute arbitrary code through server-side request forgery.
  • Arbitrary code execution due to unsafe handling of payment bridge gateway – CVE-2019-7910
    An authenticated user with admin privileges to manipulate payment methods can execute arbitrary code through server-side request forgery.
  • Arbitrary code execution due to unsafe deserialization of configuration fields – CVE-2019-7907
    An authenticated user with configuration privileges can execute arbitrary code due to unserialization of user controlled configuration values.
  • Stored cross-site scripting in admin panel – CVE-2019-7909
    A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.
  • Stored cross-site scripting in the admin panel – CVE-2019-7875
    A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.
  • Stored cross-site scripting in the admin panel – CVE-2019-7933
    A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.Source: Magento