Magento 2.0.14 And 2.1.7 Security Update

Posted on Posted in Magento

Description: Magento Enterprise Edition and Community Edition 2.0.14 and 2.1.7 contain multiple security enhancements.

Fixed items:

  • Remote Code Execution in the Admin panel
  • RCE in video upload
  • Zend Mail vulnerability - continued
  • Customer password hash exposed in admin
  • Possible remote code execution in email reminders
  • Stored XSS in admin panel
  • API tokens not invalidated after disabling admin user
  • Password shown in action log (EE only)
  • Mass actions do not follow ACL
  • UI controllers do not follow ACL
  • APIs vulnerable to CSRF
  • Custom admin path disclosure
  • Information leak
  • Vulnerabilities in JavaScript libraries
  • Incorrect routing of requests

Affected versions:

  • Magento CE and EE prior to 2.0.14/2.1.7
  • Magento CE prior to 1.9.3.3
  • Magento EE prior to 1.14.3.3

Recommended action: Apply the patch or upgrade to the latest Magento version

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *