GHSA-prpf-cj87-hwvr

Source
https://github.com/advisories/GHSA-prpf-cj87-hwvr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-prpf-cj87-hwvr/GHSA-prpf-cj87-hwvr.json
Published
2024-05-15T22:32:47Z
Modified
2024-05-15T22:50:09.416361Z
Summary
Magento Patch SUPEE-10752 - Multiple security enhancements vulnerabilities
Details

Magento Commerce 1.14.3.9 and Open Source 1.9.3.9 bring essential security enhancements with Patch SUPEE-10752. These updates address various vulnerabilities, including authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF), and more.

Key Security Improvements:

  • APPSEC-2001: Authenticated Remote Code Execution (RCE) using custom layout XML
  • APPSEC-2015: Authenticated Remote Code Execution (RCE) through the Create New Order feature (Commerce only)
  • APPSEC-2042: PHP Object Injection and RCE in the Magento admin panel (Commerce Target Rule module)
  • APPSEC-2029: PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce)
  • APPSEC-2007: Authenticated SQL Injection when saving a category
  • APPSEC-2027: CSRF is possible against Web sites, Stores, and Store Views
  • APPSEC-1882: The cron.php file can leak database credentials
  • APPSEC-2006: Stored cross-site scripting (XSS) through the Enterprise Logging extension
  • APPSEC-2005: Persistent Cross-Site Scripting (XSS) injection in Configuration table
  • APPSEC-1880: Cross-Site Scripting (XSS) through the Admin Username in the CMS Revision Editor (Commerce only)
  • APPSEC-2004: Cross-Site Scripting (XSS) through Remote File Inclusion
  • APPSEC-1988: Path traversal vulnerability in templates
  • APPSEC-1987: Reflective cross-site scripting (XSS) through filter manipulation
  • APPSEC-2034: XSS in Admin Create Order Configure Product Via Compatible File Extensions
  • APPSEC-1876: Cross-site scripting (XSS) in Admin Bundle Product Bundle Items Tab through Product SKU
  • APPSEC-1874: Cross-Site Scripting (XSS) in the Admin Gift Registry Type Edit via Attribute Group
  • APPSEC-1872: Cross-Site Scripting (XSS) in the Admin Manage Catalog Events list through category name
  • APPSEC-1928: Stored XSS in Downloadable Product Links title - frontend
  • APPSEC-1871: Cross-Site Scripting (XSS) in the Admin Manage Customer Rewards points history using the Reason field
  • APPSEC-1870: Cross-Site Scripting (XSS) in Admin Manage Invitations list through Invitee email address
  • APPSEC-1972/APPSEC-2103: Admin password change does not force the logout of the Admin user
  • APPSEC-1934: Systemic Cross-Site Request Forgery (CSRF) on the Checkout page
  • APPSEC-1917: Password theft though uploaded video and Auth Prompt password theft vulnerability
  • APPSEC-1993: IP spoofing

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.9: SUPEE-10752 or upgrade to Magento Commerce 1.14.3.9.
  • Magento Open Source 1.5.0.0-1.9.3.9: SUPEE-10752 or upgrade to Magento Open Source 1.9.3.9.
References

Affected packages

Packagist / magento/community-edition

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
1.9.3.9

Affected versions

0.*

0.1.0-alpha89
0.1.0-alpha90
0.1.0-alpha91
0.1.0-alpha92
0.1.0-alpha93
0.1.0-alpha94
0.1.0-alpha95
0.1.0-alpha96
0.1.0-alpha97
0.1.0-alpha98
0.1.0-alpha99
0.1.0-alpha100
0.1.0-alpha101
0.1.0-alpha102
0.1.0-alpha103
0.1.0-alpha104
0.1.0-alpha105
0.1.0-alpha106
0.1.0-alpha107
0.1.0-alpha108
0.42.0-beta1
0.42.0-beta2
0.42.0-beta3
0.42.0-beta4
0.42.0-beta5
0.42.0-beta6
0.42.0-beta7
0.42.0-beta8
0.42.0-beta9
0.42.0-beta10
0.42.0-beta11
0.74.0-beta1
0.74.0-beta2
0.74.0-beta3
0.74.0-beta4
0.74.0-beta5
0.74.0-beta6
0.74.0-beta7
0.74.0-beta8
0.74.0-beta9
0.74.0-beta10
0.74.0-beta11
0.74.0-beta12
0.74.0-beta13
0.74.0-beta14
0.74.0-beta15
0.74.0-beta16

1.*

1.0.0-beta
1.0.0-beta2
1.0.0-beta3
1.0.0-beta4
1.0.0-beta5
1.0.0-beta6