Security Updates for Magento 2.2.6 and 2.1.15



The Magento 2.2.6 and 2.1.15 security updates were introduced on September 10, 2018, for Magento Commerce and Magento Open Source editions. The Magento Commerce and Open Source 2.2.6 and 2.1.15 security updates encompass a variety of functional enhancements and security resolutions designed to improve the safety and performance of your Magento shop. The Magento managed support team of development experts at best Magento agency Forix stresses the importance of downloading and installing the Magento Commerce and Open Source 2.2.6 and 2.1.15 security updates to obtain the critical security solutions and the functional improvements provided with the upgrade.


The Magento managed support team at Forix advises users who have not yet downloaded a Magento 2 update to download Magento Commerce or Open Source 2.2.6.


Security Solutions


Magento merchants can count on attaining multiple security corrections after implementing the Magento 2.2.6 and 2.1.15 security updates with the support of Magento managed services from best Magento agency Forix, including:


APPSEC-2003: Remote Code Execution With Varnish Settings in Admin Panel


This security threat can empower an administrator to obtain and read files on a database and execute directions with Varnish. The primary source of this problem was discovered in the Magento 2.2 arrangement configurations for Varnish, which enabled an administrator to whitelist a catalog of IPs, upload an individualized Varnish configuration, and continue to execute it as a complete page cache.


APPSEC-2094: Stored Cross-Site Scripting in Website to Admin in Global Lookup


This issue allows a stored cross-site scripting to be employed by a website user to target admin accounts. This security vulnerability was identified in all versions of the Magento 2 and can be resolved with the implementation of the Magento 2.2.6 and 2.1.15 security updates.


APPSEC-2045: PHP Data Files Can Be Downloaded With Custom Options


This security risk renders it possible for a user with limited permissions to create a new product or make modifications to an existing product. In effect, the product’s price can be altered or entirely removed.


APPSEC-2081: Consumer Address Attribute Data and Information Leak


This security feature protects the address information and attribute data of consumers from being dispersed with the Magento Commerce platform.


APPSEC-2092: Cross-Site Request Forgery in Order Statuses


This security issue can enable an admin to employ the added secret key to URLs with the intention of changing the status of a customer’s order.


APPSEC-2059: Cross-Site Request Forgery Consumer Account Deletion


This security hazard can result in one or several consumer accounts getting deleted.


APPSEC-2058: Cross-Site Request Forgery Deletion of Merchandise


This issue can cause one or several products in a Magento store to get deleted.


APPSEC-2047: Customer Orders Visible Via Frontend


This security threat can reconfigure the Magento sales module to register as either non-private or non-cacheable. Other customers can view a consumer’s data and information as the full-page cache is employed.


In conjunction with the assortment of different security resolutions, the Magento 2.2.6 and 2.1.15 security updates also deliver a bundle of performance features that you can leverage with the aid of Magento ongoing support from top Magento developer Forix. This is one of the many major improvements offered in the upgrade:


APPSEC-2002: Automatic Email Alert When a New Admin Account Is Established


This improvement notifies admins whenever a new admin account is made to ensure authenticity and improve oversight of all accounts.