Ministero dello Sviluppo Economico

CERT Nazionale Italia - Computer Emergency Response Team

Vulnerabilità

Aggiornamenti di sicurezza critici per Magento

Sono stati rilasciati aggiornamenti di sicurezza per la piattaforma di e-commerce Magento che risolvono un totale di 75 vulnerabilità, di cui 9 critiche e altre 10 di gravità elevata. Se sfruttate con successo, le più gravi di queste vulnerabilità potrebbero consentire l’esecuzione di codice arbitrario nel contesto dell’applicazione affetta, con conseguente potenziale compromissione totale del sito Web.

Dettagli delle vulnerabilità in Magento (in Inglese):

  • [Critical] Arbitrary code execution through design layout update (CVE-2019-7895)
  • [Critical] Arbitrary code execution through product imports and design layout update (CVE-2019-7896)
  • [Critical] Arbitrary code execution via file upload in admin import feature (CVE-2019-7930)
  • [Critical] Security bypass via form data injection (CVE-2019-7871)
  • [Critical] Arbitrary code execution via malicious XML layouts (CVE-2019-7942)
  • [Critical] Remote code execution through crafted email templates (CVE-2019-7903)
  • [Critical] MySQL Error through crafted Elasticsearch query (CVE-2019-7931)
  • [Critical] Arbitrary code execution via crafted sitemap creation (CVE-2019-7932)
  • [Critical] Arbitrary code execution through malicious elastic search module configuration (CVE-2019-7885)
  • [High] Insecure object reference via customer REST API (CVE-2019-7950)
  • [High] Insufficient enforcement of user access controls can lead to unauthorized environment configuration changes (CVE-2019-7904)
  • [High] SQL Injection due to a flaw in MySQL adapter (CVE-2019-7139)
  • [High] Insufficient brute-forcing defenses in the token exchange protocol could be abused in carding attacks (CVE-2019-7928)
  • [High] Arbitrary code execution due to unsafe handling of a carrier gateway (CVE-2019-7892)
  • [High] Arbitrary code execution via layout manipulation (CVE-2019-7876)
  • [High] Arbitrary code execution due to unsafe handling of a carrier gateway (CVE-2019-7923)
  • [High] Arbitrary code execution due to unsafe handling of a shipping gateway (CVE-2019-7913)
  • [High] Arbitrary code execution due to unsafe handling of system configuration (CVE-2019-7911)
  • [High] Security bypass via crafted SOAP requests (CVE-2019-7951)
  • [Medium] Insufficient server side validations leads to Insecure File upload vulnerability (CVE-2019-7861)
  • [Medium] Denial-of-service by forcing a store to respond with a 404 error (CVE-2019-7915)
  • [Medium] Insufficient authorization check when adding users to company accounts (CVE-2019-7872)
  • [Medium] Deletion of user roles via cross-site request forgery (CSRF) (CVE-2019-7874)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7927)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7936)
  • [Medium] Stored cross-site scripting in the catalog events feature (CVE-2019-7850)
  • [Medium] Reflected cross-site scripting in the admin panel (CVE-2019-7862)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7937)
  • [Medium] Unsafe functionality is exposed via email templates manipulation (CVE-2019-7889)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7897)
  • [Medium] Stored cross-site scripting in admin panel (CVE-2019-7909)
  • [Medium] Stored cross-site scripting in the catalog templates form (CVE-2019-7921)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7875)
  • [Medium] Insecure Direct Object Reference (IDOR) vulnerability can lead to deletion of downloadable products folder (CVE-2019-7925)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7926)
  • [Medium] Stored cross-site scripting in the Currency Symbols field (CVE-2019-7945)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7908)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7880)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7877)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7869)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7868)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7867)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7866)
  • [Medium] Stored cross-site scripting in admin panel (CVE-2019-7863)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7934)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7935)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7938)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7940)
  • [Medium] Stored cross-site scripting in the Return Product comments feature (CVE-2019-7944)
  • [Medium] Stored Cross Site Scripting in the Admin Panel through the tax/notification/info_url setting (CVE-2019-7853)
  • [Medium] Path traversal vulnerability in WYSIWYG editor (CVE-2019-7859)
  • [Medium] Insecure user credential storage (CVE-2019-7858)
  • [Medium] Use of cryptographically weak PRNG to create gift card codes (CVE-2019-7855)
  • [Medium] Information about disabled products can be leaked due to inadequate validation checks (CVE-2019-7898)
  • [Medium] Insecure Direct Object Reference (IDOR) vulnerability can expose order shipping details (CVE-2019-7890)
  • [Medium] Insecure Direct Object Reference (IDOR) vulnerability can expose sensitive company details (CVE-2019-7854)
  • [Medium] Reflected cross-site scripting in the admin panel (CVE-2019-7887)
  • [Medium] Stored cross-site scripting in store shipping methods configuration (CVE-2019-7881)
  • [Medium] Stored cross-site scripting in the WYSIWYG editor (CVE-2019-7882)
  • [Medium] Reflected cross-site scripting on customer cart page (CVE-2019-7939)
  • [Medium] Sensitive data disclosure though malicious email templates (CVE-2019-7888)
  • [Medium] Sensitive data disclosure via crafted two factor edit user form (CVE-2019-7929)
  • [Medium] Names of disabled products can be leaked due to inadequate validation checks (CVE-2019-7899)
  • [Medium] Insecure token implementation leads to Cross-Site Request Forgery (CSRF) (CVE-2019-7857)
  • [Medium] Deletion of store design schedule via cross-site request forgery (CSRF) (CVE-2019-7873)
  • [Medium] Deletion of Blocks via cross-site request forgery (CSRF) (CVE-2019-7851)
  • [Low] Use of insufficiently random values in multiple security relevant contexts (CVE-2019-7860)
  • [Low] Insecure Direct Object Reference (IDOR) vulnerability can expose order details (CVE-2019-7864)
  • [Low] Use of insufficiently random values when generating initialization vector (CVE-2019-7886)
  • [Low] Insufficient brute force protections on promo code entry (CVE-2019-7846)
  • [Low] Disclosure of Magento admin panel URL (CVE-2019-7852)
  • [Low] Defense-in-depth session validation check implemented (CVE-2019-7849)
  • [Low] Cross site request forgery attacks are possible via the gift card removal feature (CVE-2019-7947)
  • [Low] Cross-site request forgery (CSRF) in checkout cart item (CVE-2019-7865)
  • [Low] Filter extension bypass via crafted store configuration keys (CVE-2019-7912)

Risultano variamente affette da queste vulnerabilità le seguenti versioni di Magento:

  • Magento Open Source versioni precedenti la 1.9.4.2
  • Magento Commerce versioni precedenti la 1.14.4.2
  • Magento 2.1 versioni precedenti la 2.1.18
  • Magento 2.2 versioni precedenti la 2.2.9
  • Magento 2.3 versioni precedenti la 2.3.2

Per risolvere queste vulnerabilità è necessario applicare la patch SUPEE-11155 (solo per le versioni 1.x) o aggiornare Magento ad una delle seguenti versioni:

  • Magento Open Source 1.9.4.2
  • Magento Commerce 1.14.4.2
  • Magento 2.1.18
  • Magento 2.2.9
  • Magento 2.3.2

Per maggiori informazioni sui prodotti vulnerabili e sugli aggiornamenti disponibili è possibile consultare i seguenti bollettini di sicurezza di Magento (in Inglese):

Vista la gravità delle vulnerabilità oggetto degli aggiornamenti, si raccomanda a tutti i gestori di siti Web che utilizzano Magento di aggiornare con urgenza la propria piattaforma. Si consiglia di testare la nuova versione in un ambiente di sviluppo prima di installarla su un sito in esercizio.

Notizie correlate

Aggiornamenti di sicurezza per Adobe Flash Player e Adobe Application Manager

11 settembre 2019

Adobe ha rilasciato aggiornamenti di sicurezza per Flash Player e per l'installer di Adobe Application Manager. Leggi tutto

Vulnerabilità critica in Exim consente esecuzione di codice da remoto

9 settembre 2019

È stata svelata la presenza di una vulnerabilità critica in Exim che potrebbe essere sfruttata da un attaccante remoto non autenticato per eseguire codice arbitrario sui server affetti.Leggi tutto

Risolte sette vulnerabilità in WordPress 5.2.3

6 settembre 2019

È stato rilasciato un aggiornamento di sicurezza che risolve sette vulnerabilità del noto CMS WordPress, presenti nelle versioni fino alla 5.2.2.Leggi tutto