Multiple vulnerabilities in Magento Commerce and Open Source



Published: 2019-10-30 | Updated: 2019-10-30
Risk High
Patch available YES
Number of vulnerabilities 16
CVE-ID CVE-2019-8235
CWE-ID CWE-200
CWE-79
CWE-264
CWE-799
CWE-352
CWE-918
CWE-94
CWE-284
CWE-89
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Adobe Commerce (formerly Magento Commerce)
Web applications / E-Commerce systems

Magento Open Source
Web applications / E-Commerce systems

Vendor Magento, Inc

Security Bulletin

This security bulletin contains information about 16 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU22421

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-8235

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to Insecure direct object references issue. A remote authenticated user can view personally identifiable shipping details of another user.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Commerce (formerly Magento Commerce): 2.1.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cross-site scripting

EUVDB-ID: #VU18728

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can inject and execute arbitrary HTML through a CLI command and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU18727

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to spam using share a wishlist functionality. A remote attacker can send spam messages.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Missing CAPTCHA

EUVDB-ID: #VU18726

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-799 - Improper Control of Interaction Frequency

Exploit availability: No

Description

The vulnerability allows a remote attacker to spamming.

The vulnerability exists due to missing CAPTCHA on Send to a friend page. A remote attacker can send spam messages on the vulnerable page.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Cross-site request forgery

EUVDB-ID: #VU18725

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can delete the content of wyswig directory within the context of authenticated administrator's session, trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Cross-site request forgery

EUVDB-ID: #VU18724

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can  delete the site map within the context of an authenticated administrator's session, trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Cross-site request forgery

EUVDB-ID: #VU18723

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can delete a product attribute within the context of authenticated administrator's session, trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 1.14.4.0

Magento Open Source: 1.9.0.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU18722

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to the unsafe handling of an API call to a core bundled extension. A remote authenticated attacker with privileges to configure store settings can execute arbitrary code execution through server-side request forgery.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Code Injection

EUVDB-ID: #VU18721

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in email template. A remote administrator can send a specially crafted request and execute arbitrary code through email templates on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Code Injection

EUVDB-ID: #VU18720

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation via crafted newsletter and email templates . A remote authenticated attacker with privileges to create newsletter or email templates can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improper access control

EUVDB-ID: #VU18719

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions of the Insecure direct object reference in the application. A remote authenticated attacker can enumerate and access unauthorized wishlist via insecure direct object reference in the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Improper access control

EUVDB-ID: #VU18718

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to a bypass of authentication controls for a customer using a web API endpoint. A remote authenticated attacker can control other customer's requisition lists by using a web API endpoint to send a request to the server. This overrides the customer_id parameter.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU18715

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to bypassing the need for administrator authentication approval on B2B accounts. A remote authenticated attacker can create a B2B account without administrative approval.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Information disclosure

EUVDB-ID: #VU18714

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to administrative credentials are logged in exception reports. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 1.14.4.0

Magento Open Source: 1.9.0.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Information disclosure

EUVDB-ID: #VU18713

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to default configuration allows public access to custom PHP settings. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Magento Open Source: 2.1.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) SQL injection

EUVDB-ID: #VU18711

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote unauthenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Adobe Commerce (formerly Magento Commerce): 1.14.0.0 - 1.14.4.0

Magento Open Source: 1.9.0.0 - 2.3.0

External links

http://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###