Security Patches of Magento 1.14.3.9 and Magento 1.9.3.9

Magento always manages to capture the market with its latest editions and security enhancements. Latest in the line are Magento 1.14.3.9 Security and Magento 1.9.3.9 Security enhancements that provide the benefit of wrapping up the authenticated Admin user remote code execution, Cross-site request forgery and many other vulnerabilities.

Improvised upgrades and patches are available to the users for the below Magento versions:

• Magento Commerce 1.9.0.0-1.14.3.9: SUPEE-10752 or upgrade to Magento Commerce 1.14.3.9.
• Magento Open Source 1.5.0.0-1.9.3.9: SUPEE-10752 or upgrade to Magento Open Source 1.9.3.9.

Here are the ways to download a patch or the release:

Partners

• Magento Commerce 1.14.3.9

Go to Partner Portal then select Magento Commerce, select Magento Commerce 1.X, again Magento Commerce 1.x, thereafter Version 1.x Releases and finally Version 1.14.3.9

SUPEE-10752

Go to Partner Portal, select Magento Commerce, click on Magento Commerce 1.X, again Magento Commerce 1.x, choose Support and Security Patches, in that Security Patches and Security Patches – June 2018.

Magento Commerce Merchants

• Magento Commerce 1.14.3.9

Go to My Account, click on Downloads Tab, select Magento Commerce 1.X, again Magento Commerce 1.x, select Version
1.x Releases then finally Version 1.14.3.9

• SUPEE-10752

Go to My Account, click on Downloads Tab, choose Magento Commerce 1.X, again select Magento Commerce 1.x, and click on Support and Security Patches, select Security Patches and lastly Security Patches – June 2018

Magento Open Source Merchants

• Magento Open Source 1.9.3.9

Select Magento Open Source Download Page and then Release Archive Tab.

SUPEE-10752

Click on Magento Open Source Download Page, select Release Archive Tab and click on Magento Open Source Patches – 1.x Section

APPSEC-1993: IP spoofing

• -The type is Privilege Escalation & Enumeration.
• CVSSv3 Severity is 3.7 (low).
• There are no known attacks.
• The existence of vulnerability is there that allows IP spoofing of the client’s address. It also permits the potential bypassing of the existent security features dependent on the client through their IP source.
• Some of the products that are affected are- Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9, Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5
• It is fixed in Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752, Magento 2.1.14, Magento 2.2.5
• The reporter is Driskell.

APPSEC-1870: Cross-Site Scripting (XSS) in Admin Manage Invitations list through Invitee email address

• The type is Cross-site scripting (XSS).
• CVSSv3 severity is 5.0 (Medium).
• No known attacks have been detected.
• The user devoid of Admin credentials can insert cross-site scripting into the Admin role and the Manage invitations list present for the admin users without the permission of ‘Manage Customers’.
• The products that are affected are Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
• It is fixed in Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
• The reporter is mpchadwick.

APPSEC-1972/APPSEC-2103: Admin password change does not force the logout of the Admin user

• The type is Privilege Escalation and Enumeration.
• The CVSSv3 Severity is 4.3 (Medium).
• No known attacks have been reported.
• The password changes done from the admin panel does not lead to logout.
• The products that are affected: Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
• Its fixed in Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
• No reporter has been found.

APPSEC-1871: Cross-Site Scripting (XSS) in the Admin Manage Customer Rewards points’ history using the Reason field

• The type is Cross site scripting (XSS).
• The CVSSv3 Severity is 5.0 (Medium).
• No known attacks are present.
• The admin users that have limited privileges can make use of the Reward Points History feature to inject cross-site scripting (XSS).
• The products that are known to get affected are: Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
• It is fixed in Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752.
• The reporter is mpchadwick.

APPSEC-2001: Authenticated Remote Code Execution (RCE) using custom layout XML

• The type is Remote Code Execution (RCE).
• CVSSv3 Severity is 9.8 (Critical).
• No known attacks have been found.
• The admin users that have the permission to manage products can utilize custom layout XML enables to copy a file to any other location.
• The products affected are Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9.
• It is fixed in Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
• The reporter is Fabian.

APPSEC-2015: Authenticated Remote Code Execution (RCE) through the Create New Order feature (Commerce only)

• The type is Remote Code Execution (RCE).
• CVSSv3 Severity is 9.8 (critical).
• There are no known attacks.
• The users that have the permission to generate sales through the Admin panel can utilize the gift card functionality to explore the requested data and insert a malicious string which unserialized later.
• The products that are offered include Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9.
• It’s fixed in Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752.
• The reporter is Peter O’Callaghan.

Related Posts:

• Magento 2.2.4 : 9 New Enhancements and Features, Apply Patches Right Now
• Magento 2.3 Release with Impressive Features

These are some of the security features that we have listed here from the list of several other features. To know about them in detail and use them to get in touch with us.