Magento Security Patch SUPEE-11219

Magento Security Patch SUPEE-11219


SUPEE-11219 is the newly announced security patch for Magento Commerce and Open Source Magento Security Patch SUPEE-11219, introduced on October 8, 2019, provides an array of resolutions for a group of small security vulnerabilities detected within the bounds of previous versions of the various Magento platforms. SUPEE-11219 closes remote code execution (RCE), cross-site request forgeries (CSRF), cross-site scripting (CSS) and other vulnerabilities.

Magento ongoing support professionals advise that SUPEE-11219 is available for use by clients utilizing the following Magento editions:


  • Magento Commerce users should download the SUPEE-11219 patch or upgrade to Magento Commerce
  • Magento Open Source users should download the SUPEE-11219 patch or upgrade to Magento Open Source


Why Utilize This Patch?

In the absence of upgrading your Magento software to the most current version of either Magento Commerce or Open Source, Forix’s team of expert Magento managed support professionals recommend downloading and installing SUPEE-11219. This critical patch closes a number of vulnerabilities as listed above and prevents unwanted code modification or arbitrary injection of unnecessary code.

Included Security Resolutions


With download and installation assistance from your Forix Magento support team, you will ensure your Magento software includes protections for these risks:


  • PRODSECBUG-2462: Remote Code Execution Through the File Upload Feature in Admin Support

    This security risk allows authenticated users with administrative privileges to remotely import features such as arbitrary code with a crafted configuration achieve file upload.

  • PRODSECBUG-2443: Remote Code Execution Through the Crafted Support Configuration Mod

    This security risk allows an authenticated user holding admin privileges to modify the various parameters with crafted support configuration, then remotely execute code.

    (Note- SUPEE-11219 addresses multiple, similar remote code executions via various authenticated administrator actions in addition to those listed here)

  • PRODSECBUG-2328: Sensitive Information Available Through HTTP Request

    This particular security risk allowed the user’s CSRF token within the URL of GET requests. Attackers holding network access could exploit this token and perform unauthorized actions.

  • PRODSECBUG-2344: Cross-Site Scripting With WYSIWYG Editor Privileges

    Authenticated users holding access to the WYSIWYG editor and exploiting this security risk can insert malicious JavaScript into the Admin cache using the block Directive function.

  • PRODSECBUG-2517: Stored Cross-Site Scripting Via New Profile Action

This security risk allows authenticated users holding limited admin privileges to insert unwanted Java code while using the new profile action feature.

  • PRODSECBUG-2515: Stored Cross-Site Scripting Using the Transactional Emails Page and Creating a New Email Template

With this security risk, an authorized user with even limited admin privileges could insert arbitrary Java into the transactional email page. This risk exploits both the new email template and editing the existing email template.

  • PRODSECBUG-2445: Insufficient Logging or Monitoring of Changes

    This issue exploits the insufficient data stored by the Magento logging feature, rendering users unable to track modifications.