Magento SUPEE-9767 patch

Posted on Posted in Magento

Description: Magento team has just released a bundle of patches that resolve several security-related issues

Changes:

  • Remote code execution through symlinks
  • Remote Code Execution in DataFlow
  • Remote Code Execution in the Admin panel
  • SQL injection in Visual Merchandiser (Enterprise Edition)
  • XSS in data fields
  • XSS in Admin panel configuration
  • Cross-Site Request Forgery (CSRF) after logout - form key not invalidated
  • Bypassing ACLs in store configuration permissions
  • Local File Disclosure for admin users with access to dataflow
  • CSRF Vulnerability in Checkout feature
  • Potential for user name enumeration
  • CSRF cache management
  • Customer passwords exposed in logs
  • Cross-site Request Forgery Vulnerability in Enterprise Edition (EE) Invites
  • Vulnerabilities in JavaScript libraries
  • Incorrect routing of requests

Affected versions:
<

    li>Magento CE prior to 1.9.3.3
  • Magento EE prior to 1.14.3.3
  • Magento 2.0 prior to 2.0.14
  • Magento 2.1 prior to 2.1.7

Recommended action: Apply the patch.
Before applying the patch or upgrading to the latest release, make sure to disable Symlinks setting in System > Configuration > Advanced > Developer > Enable Symlinks. The setting, if enabled, will override configuration file setting and changing it will require direct database modification.

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *