Despite being one of the most robust ecommerce platforms, Magento also encounters few security-related issues. And this is why Magento timely releases new versions and security patches aimed to guard against these vulnerabilities.

Magento has just released security updates along with other updates for the new versions of Magento Commerce and Open Source to exponentially increase product security, performance, and functionality:

  • Magento Commerce and Open Source 2.3.1
  • Magento Commerce and Open Source 2.2.8
  • Magento Commerce and Open Source 2.1.17
  • Magento Commerce 1.14.4.1
  • Magento Open Source 1.9.4.1
  • SUPEE-11086 to patch earlier Magento 1.x versions

There were several high CVSSv3 Severity issues found which affected the products Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1. Below are the high severity Magento vulnerabilities addresed by the latest security update:

Issue Type: Remote Code Execution (RCE)

CVSSv3 Severity Security Bug Description
9.8 Remote code execution though crafted newsletter and email templates An administrator user with access to the Braintree payment method configuration can trigger remote code execution through PHP object injection.
9.1: Remote code execution through email template An authenticated user with administrative privileges can execute arbitrary code through email templates
8.5 Arbitrary code execution due to unsafe deserialization of a PHP archive An authenticated user with administrative privileges can execute arbitrary code through a Phar deserialization vulnerability.
8.5 Arbitrary code execution due to the unsafe handling of an API call to a core bundled extension. (Magento Shipping) An authenticated user with privileges to configure store settings can execute arbitrary code execution through server-side request forgery.
8.5 An authenticated user with privileges to configure email templates can execute arbitrary code via a PHP archive deserialization vulnerability. The upload settings for B2B quote files are vulnerable to remote code execution attacks.

Issue Type: SQL Injection and cross-site scripting

CVSSv3 Severity Security Bug Description
7.7 SQL Injection and cross-site scripting vulnerability in Catalog section (XSS) An authenticated user can embed malicious code through a stored cross-site scripting vulnerability or an SQL injection vulnerability in the Catalog section by manipulating attribute_code.
7.2 SQL Injection vulnerability through an unauthenticated user An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.
6.5 SQL injection due to inadequate validation of user input An authenticated user with privileges to configure email templatescan execute arbitrary SQL queries.

Issue Type: Cross Site Scripting

CVSSv3 Severity Security Bug Description
6.5 Stored cross-site scripting in the Admin Customer Segments area An authenticated user with privileges to the Customer Segments section of the Admin can use a stored cross site scripting vulnerability to embed malicious code.
6.3 Reflected cross-site scripting vulnerability in the Admin through the requisition list ID An authenticated user with privileges to the Admin requisition list ID can use a cross-site scripting vulnerability to embed malicious code.
5.8 Stored cross-site scripting in the admin panel via the Admin Shopping Cart Rules page An authenticated user with administrative privileges can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page.
5.8 Deletion of a product attribute through cross-site request forgery An attacker can delete a product attribute within the context of authenticated administrator’s session through cross-site request forgery.
5.8 Site map deletion through cross-site request forgery An attacker can delete the site map within the context of an authenticated administrator’s session through cross-site request forgery.
5.7 Deletion of synonym groups through a cross-site request forgery vulnerability An attacker can delete all synonyms groups within the context of an authenticated administrator’s session through cross-site request forgery.

Source: Magento Security

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.

If you’re interested in implementing the security patches or to upgrade your Magento site, reach out to Rave to quickly schedule a meeting with one of our Certified Magento Professionals who will coordinate a free Upgrade Assessment and estimate.