Ministero dello Sviluppo Economico

CERT Nazionale Italia - Computer Emergency Response Team

Vulnerabilità

Aggiornamenti di sicurezza critici per Magento

Sono stati rilasciati aggiornamenti di sicurezza per la piattaforma di e-commerce Magento che risolvono un totale di 75 vulnerabilità, di cui 9 critiche e altre 10 di gravità elevata. Se sfruttate con successo, le più gravi di queste vulnerabilità potrebbero consentire l’esecuzione di codice arbitrario nel contesto dell’applicazione affetta, con conseguente potenziale compromissione totale del sito Web.

Dettagli delle vulnerabilità in Magento (in Inglese):

  • [Critical] Arbitrary code execution through design layout update (CVE-2019-7895)
  • [Critical] Arbitrary code execution through product imports and design layout update (CVE-2019-7896)
  • [Critical] Arbitrary code execution via file upload in admin import feature (CVE-2019-7930)
  • [Critical] Security bypass via form data injection (CVE-2019-7871)
  • [Critical] Arbitrary code execution via malicious XML layouts (CVE-2019-7942)
  • [Critical] Remote code execution through crafted email templates (CVE-2019-7903)
  • [Critical] MySQL Error through crafted Elasticsearch query (CVE-2019-7931)
  • [Critical] Arbitrary code execution via crafted sitemap creation (CVE-2019-7932)
  • [Critical] Arbitrary code execution through malicious elastic search module configuration (CVE-2019-7885)
  • [High] Insecure object reference via customer REST API (CVE-2019-7950)
  • [High] Insufficient enforcement of user access controls can lead to unauthorized environment configuration changes (CVE-2019-7904)
  • [High] SQL Injection due to a flaw in MySQL adapter (CVE-2019-7139)
  • [High] Insufficient brute-forcing defenses in the token exchange protocol could be abused in carding attacks (CVE-2019-7928)
  • [High] Arbitrary code execution due to unsafe handling of a carrier gateway (CVE-2019-7892)
  • [High] Arbitrary code execution via layout manipulation (CVE-2019-7876)
  • [High] Arbitrary code execution due to unsafe handling of a carrier gateway (CVE-2019-7923)
  • [High] Arbitrary code execution due to unsafe handling of a shipping gateway (CVE-2019-7913)
  • [High] Arbitrary code execution due to unsafe handling of system configuration (CVE-2019-7911)
  • [High] Security bypass via crafted SOAP requests (CVE-2019-7951)
  • [Medium] Insufficient server side validations leads to Insecure File upload vulnerability (CVE-2019-7861)
  • [Medium] Denial-of-service by forcing a store to respond with a 404 error (CVE-2019-7915)
  • [Medium] Insufficient authorization check when adding users to company accounts (CVE-2019-7872)
  • [Medium] Deletion of user roles via cross-site request forgery (CSRF) (CVE-2019-7874)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7927)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7936)
  • [Medium] Stored cross-site scripting in the catalog events feature (CVE-2019-7850)
  • [Medium] Reflected cross-site scripting in the admin panel (CVE-2019-7862)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7937)
  • [Medium] Unsafe functionality is exposed via email templates manipulation (CVE-2019-7889)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7897)
  • [Medium] Stored cross-site scripting in admin panel (CVE-2019-7909)
  • [Medium] Stored cross-site scripting in the catalog templates form (CVE-2019-7921)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7875)
  • [Medium] Insecure Direct Object Reference (IDOR) vulnerability can lead to deletion of downloadable products folder (CVE-2019-7925)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7926)
  • [Medium] Stored cross-site scripting in the Currency Symbols field (CVE-2019-7945)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7908)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7880)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7877)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7869)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7868)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7867)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7866)
  • [Medium] Stored cross-site scripting in admin panel (CVE-2019-7863)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7934)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7935)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7938)
  • [Medium] Stored cross-site scripting in the admin panel (CVE-2019-7940)
  • [Medium] Stored cross-site scripting in the Return Product comments feature (CVE-2019-7944)
  • [Medium] Stored Cross Site Scripting in the Admin Panel through the tax/notification/info_url setting (CVE-2019-7853)
  • [Medium] Path traversal vulnerability in WYSIWYG editor (CVE-2019-7859)
  • [Medium] Insecure user credential storage (CVE-2019-7858)
  • [Medium] Use of cryptographically weak PRNG to create gift card codes (CVE-2019-7855)
  • [Medium] Information about disabled products can be leaked due to inadequate validation checks (CVE-2019-7898)
  • [Medium] Insecure Direct Object Reference (IDOR) vulnerability can expose order shipping details (CVE-2019-7890)
  • [Medium] Insecure Direct Object Reference (IDOR) vulnerability can expose sensitive company details (CVE-2019-7854)
  • [Medium] Reflected cross-site scripting in the admin panel (CVE-2019-7887)
  • [Medium] Stored cross-site scripting in store shipping methods configuration (CVE-2019-7881)
  • [Medium] Stored cross-site scripting in the WYSIWYG editor (CVE-2019-7882)
  • [Medium] Reflected cross-site scripting on customer cart page (CVE-2019-7939)
  • [Medium] Sensitive data disclosure though malicious email templates (CVE-2019-7888)
  • [Medium] Sensitive data disclosure via crafted two factor edit user form (CVE-2019-7929)
  • [Medium] Names of disabled products can be leaked due to inadequate validation checks (CVE-2019-7899)
  • [Medium] Insecure token implementation leads to Cross-Site Request Forgery (CSRF) (CVE-2019-7857)
  • [Medium] Deletion of store design schedule via cross-site request forgery (CSRF) (CVE-2019-7873)
  • [Medium] Deletion of Blocks via cross-site request forgery (CSRF) (CVE-2019-7851)
  • [Low] Use of insufficiently random values in multiple security relevant contexts (CVE-2019-7860)
  • [Low] Insecure Direct Object Reference (IDOR) vulnerability can expose order details (CVE-2019-7864)
  • [Low] Use of insufficiently random values when generating initialization vector (CVE-2019-7886)
  • [Low] Insufficient brute force protections on promo code entry (CVE-2019-7846)
  • [Low] Disclosure of Magento admin panel URL (CVE-2019-7852)
  • [Low] Defense-in-depth session validation check implemented (CVE-2019-7849)
  • [Low] Cross site request forgery attacks are possible via the gift card removal feature (CVE-2019-7947)
  • [Low] Cross-site request forgery (CSRF) in checkout cart item (CVE-2019-7865)
  • [Low] Filter extension bypass via crafted store configuration keys (CVE-2019-7912)

Risultano variamente affette da queste vulnerabilità le seguenti versioni di Magento:

  • Magento Open Source versioni precedenti la 1.9.4.2
  • Magento Commerce versioni precedenti la 1.14.4.2
  • Magento 2.1 versioni precedenti la 2.1.18
  • Magento 2.2 versioni precedenti la 2.2.9
  • Magento 2.3 versioni precedenti la 2.3.2

Per risolvere queste vulnerabilità è necessario applicare la patch SUPEE-11155 (solo per le versioni 1.x) o aggiornare Magento ad una delle seguenti versioni:

  • Magento Open Source 1.9.4.2
  • Magento Commerce 1.14.4.2
  • Magento 2.1.18
  • Magento 2.2.9
  • Magento 2.3.2

Per maggiori informazioni sui prodotti vulnerabili e sugli aggiornamenti disponibili è possibile consultare i seguenti bollettini di sicurezza di Magento (in Inglese):

Vista la gravità delle vulnerabilità oggetto degli aggiornamenti, si raccomanda a tutti i gestori di siti Web che utilizzano Magento di aggiornare con urgenza la propria piattaforma. Si consiglia di testare la nuova versione in un ambiente di sviluppo prima di installarla su un sito in esercizio.

Notizie correlate

Aggiornamento di sicurezza critico per Drupal 8

18 luglio 2019

È stato rilasciato un aggiornamento di sicurezza che risolve una vulnerabilità critica nel codice "core" del noto CMS Drupal versione 8.7.4.Leggi tutto

Aggiornamenti di sicurezza per prodotti Juniper Networks (luglio 2019)

11 luglio 2019

Juniper Networks ha pubblicato una serie di bollettini di sicurezza relativi a vulnerabilità multiple scoperte in svariati prodotti software, tra cui alcune di gravità elevata in Junos OS.Leggi tutto

Aggiornamenti di sicurezza per prodotti VMware

3 luglio 2019

VMware ha rilasciato un avviso di sicurezza relativo a due vulnerabilità nell'implementazione di TCP SACK del kernel Linux che affliggono un gran numero di prodotti.Leggi tutto