Now Magento is releasing updates of Magento Commerce and Open Source to height platform security and functionality.
- Magento Open Source and Commerce 2.2.1
- Magento Open Source and Commerce 2.1.10
- Magento Open Source and Commerce 2.0.17
Latest updates have about 15 security fixes that help close unauthorized data leak, cross-site request forgery, Cross-Site Scripting (XSS, stored), Local File Inclusion (LFI) and Arbitrary File Delete vulnerabilities and enhance authenticated Admin user remote code execution (RCE). Versions also contain over 40 functional enhancements, including significant contributions from community members.
Fixed vulnerability. Now PHP Object Injection in E-mail templates can't bring to Remote Code Execution. So a user with admin role with limited privileges can't insert malicious code in e-mail templates, creating an vulnerability for arbitrary remote code execution.
Fixed PHP Object Injections in product attributes, in product entries, in Downloadable Products and in product metadata leading to Remote Code Execution.
Now user with limited Administrator rights can't:
- insert injectable code in product attributes, potentially leading to arbitrary remote code execution
- insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution
- create a downloadable product that can create an opportunity for arbitrary code execution
- insert injectable code in the swatches feature, creating an opportunity for arbitrary remote code execution
- create a store website that can accept and run arbitrary remote code execution
- insert a widget block containing malicious code, creating an opportunity for arbitrary remote code execution
Fixed vulnerability "Local File Inclusion (LFI) in Import History". An user with limited Administrator rights can't delete critical system control files to subsequently gain privilege escalation through the Import History section.
Fixed PHP Object Injection in Zend Framework leading to Arbitrary File Deletion. An administrator with limited privileges can't inject malicious code that can cause sensitive files to be deleted. In the latest version hacker could't then launch a second stage payload that would lead to arbitrary remote code execution.
Merchants who have not yet downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.2.1. Magento Team strongly recommend that all store owners upgrade to these versions as soon as possible. Download and install the latest Magento Commerce releases. Magento Open Source platform is available from the Open Source download page.