Magento released the Magento 2.2.6 and 2.1.15 security updates on September 10, 2018, for both the Magento Commerce and Open Source platforms. The Magento Commerce and Open Source 2.2.6 and 2.1.15 security updates include multiple enhancements that serve to strengthen the safety and security of Magento stores. The Magento managed support professionals at top Magento agency Forix highly recommend all Magento merchants download and install the Magento Commerce and Open Source 2.2.6 and 2.1.15 security updates to ensure the protection of their Magento shops.
Magento ongoing support professionals advise all merchants who have not yet installed a Magento 2 update to go directly to Magento Commerce or Open Source 2.2.6.
Users can expect to see multiple security improvements by installing the Magento 2.2.6 and 2.1.15 security updates with Magento managed services from top Magento developer Forix, such as:
APPSEC-2003: RCE Through Varnish Settings in Admin Panel
This a high-risk security threat may enable an administrative user to access and read files on a server and move to make commands with Varnish. The main source of this issue was in the Magento 2.2 admin arrangement settings for Varnish, which allowed an admin to whitelist an index of IPs, download the specific customized Varnish arrangement, and employ it as a full-page cache. This threat impacts the following Magento versions:
- Magento 2.1 before installing 2.1.15
- Magento 2.2 before installing 2.2.6
PPSEC-2094: Stored XSS Site to Admin With Global Search
A stored XSS from a website user targeting administrator accounts, which hackers can easily take advantage of, was detected in all the Magento 2.x versions. Installing the Magento 2.2.6 and 2.1.15 security updates repairs this vulnerability.
APPSEC-2045: PHP Data Files Can Be Uploaded With Specific Options
This security vulnerability makes it possible for a user with restricted privileges to establish a new product or modify an existing one to enable the upload of PHP script through the custom option. As a result, the product price could be modified from its original listing.
APPSEC-2081: Consumer Address Attribute Data Leak
This security improvement blocks personal consumer address information and attribute data from being breached in the Magento Commerce platform.
APPSEC-2092: Cross-Site Request Forgery on Order Status
This vulnerability may allow an administrator to add a secret key to URLs to alter the status of consumer orders.
APPSEC-2059: Cross-Site Request Forgery Deletion of Customers
This issue enables the deletion of one or numerous Magento store consumers.
APPSEC-2058: Cross-Site Request Forgery Deletion of Products
This security vulnerability can enable the deletion of one or multiple products in a Magento store.
APPSEC-2047: Customer Orders Visible to Other Consumers Through Frontend
This security hazard can configure the Magento sales module to become non-private or non-cacheable. When the complete page cache is activated, other consumers can see a user’s personal information.
Alongside the range security corrections, the Magento 2.2.6 and 2.1.15 security updates also encompasses an array of performance improvements that you can maximize with the help of Magento managed services from best Magento agency Forix. One of these key improvements is:
APPSEC-2002: E-mail Admins When a New Admin Account Is Made
This feature assists in the detection of newly created admin accounts by sending an automatic email whenever a new admin account is made.
Contact a Forix expert to learn more about Security Updates for Magento 2.2.6 and 2.1.15.