Magento Security Patch 2.2.1, 2.1.10 and 2.0.17 Update

Released on November 7th, 2017, the Magento 2.0.17, 2.2.1, and 2.1.10 Security Patches address several vulnerabilities in the Magento 2 versions (Magento Commerce and Open Source 2.0.17, 2.2.1, and 2.1.10). We highly recommend that you download these updates as soon as possible to receive the most updated security protection. If you have not yet downloaded a Magento 2 release, please go to Magento Commerce or Open Source 2.2.1.

 

Benefits of Magento Security Patch 2.2.1, 2.0.17, and 2.1.10 Update

With this update, you can expect a variety of enhancements that will fix various issues including the following:

  • Susceptibilities with arbitrary delete files
  • XSS
  • RCE by limited-privileged admin
  • LFI

Security enhancements prevent limited-privileged admins from bypassing security mechanisms and then obtaining unauthorized data, applications, services, networks and/or devices. Such admins can also no longer preform certain high-risk and medium-risk actions.

 

APPSEC-1825: PHP in Email Templates

Rated as a high 8.2 risk as per CVSSv3 severity, this particular threat could lead to RCE. Although there have been no known attacks, before the update a limited-privileged admin could insert dangerous code into product attributes, promo fields, email templates, and more.

 

APPSEC-1830: PHP in Attributes

Also rated as a high 8.2 risk as per CVSSv3 severity and with no prior known attacks, this update will keep an admin from inserting code in project attributes, possibly leading to an RCE.

 

APPSEC-1861: PHP – Product Entries

This risk is also rated as high with an 8.2 per CVSSv3 severity, and it could also potentially lead to an RCE from an admin entering code into promo fields. There have been no known prior attacks, but it’s important to protect your site with the Magento 2.1.10, 2.0.17, and 2.2.1 Security Patch.

 

APPSEC-1881: Downloadable Products

There have been no prior known attacks, but this threat comes with a 7.2-level CVSSv3 severity risk and could lead to a limited-privileged admin creating a downloadable that would allow for an RCE.

 

APPSEC-1893: PHP – Product Metadata

Rated as a high 8.2 risk as per CVSSv3 severity, this particular threat could lead to RCE from an admin inserting code into swatches. (No prior known attacks.)

 

APPSEC-1900: Form Input

Another risk with no prior known attacks but marked with a high 8.2 risk as per CVSSv3 severity, an admin can make a store site that would lead to RCE.

 

Get the Magento Security Patch 2.2.1, 2.1.10 and 2.0.17 Update Installed Today

For protection against the above threats and others not listed, trust that your site will be improved and safer with the Magento 2.2.1, 2.0.17, and 2.1.10 security patch updates. And you can also trust that Forix will ensure that your installation is implemented correctly and seamlessly. Upgrade today and rest assured knowing that the latest fixes and updates will keep your site as safe as possible.