To provide enhanced security for customers using older versions of the Magento platform, we are backporting a fix from the security patch we released on June 25 (Magento 2.3.2, 2.2.9 and 2.1.18 Security Update) to additional versions of Magento Commerce and Magento Open Source.
This issue was addressed in Magento 2.3.2, 2.2.9, and 2.1.18 and is described in issue description CVE-2019-7877 in Magento 2.3.2, 2.2.9 and 2.1.18 Security Update. We will now offer patches for older versions. Although we have not seen many exploits related to this vulnerability, we strongly recommend that all users of the affected versions of Magento download and apply the appropriate patch as soon as possible.
This vulnerability results from the combination of an HTML sanitizer and an authenticated Phar file deserialization. An attacker can use the resulting unauthenticated cross-site scripting vulnerability (combined with an authenticated Phar deserialization vulnerability) to inject JavaScript into the Magento Admin, and subsequently launch malicious code in a store user’s browser.
Affected Magento versions
The issue affects the following Magento versions (on prem and cloud):
Note: Patches have been tested on Magento versions 2.3.1, 2.3.0, 2.2.8 and 2.2.7 only. Deployments running on older versions of Magento are vulnerable and should be upgraded.
Patch information
There are Git- based and Composer- based patches for both the Magento 2.3.x and 2.2.x releases.
Magento 2.2.x releases:
PRODSECBUG-2233-2.2.x.patch
PRODSECBUG-2233-2.2.x.composer.patch
Magento 2.3.x releases:
PRODSECBUG-2233-2.3.x.patch
PRODSECBUG-2233-2.3.x.composer.patch
How to apply the patch
Patches are available from the Magento Download page for Magento Open Source, or through your Magento account for Magento Commerce. Locate the patch by the name. We provide Git-based and Composer-based patches. See Applying patches for additional information.
For Magento Commerce Cloud, download the appropriate Magento Commerce version patch and see Apply custom patches.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.