Magento Community Edition 2.1.x < 2.1.7 / 2.0.x < 2.0.14 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700415

Synopsis

The remote web server is running an outdated instance of Magento Community Edition (CE) that is affected by multiple attack vectors.

Description

Versions of Magento CE 2.1.x prior to 2.1.7 and 2.0.x prior to 2.0.14 are affected by multiple vulnerabilities :

- A remote code execution vulnerability exists that allows store administrators with access to CMS functionality can remotely execute code.
- A remote code execution vulnerability exists in the video upload functionality within the admin panel. This vulnerability allows an attacker with admin access to scan internal network for open ports/servers and in some configurations to upload executable PHP files.
- A remote code execution vulnerability was fixed in version 2.0.12 and 2.1.4, but a use case was discovered that could be used to skip the implemented protection. The issue is not directly exploitable in Magento 2.
- When editing customer information in 'admin', a customer's password hash is leaked to the page.
- It is possible to instantiate objects in parts of email reminder functionality. While no exploit is known for this issue, it can lead to remote code execution for authorized admins.
- Customer information entered in 'admin' is not properly escaped. This allows lower level admins to possibly attack other administrators. To exploit this issue, admin access is required.
- API tokens are not invalidated after disabling the admin user, which can lead to continued attacks or unauthorized actions.
- Some actions performed by store administrators might generate an admin action log that includes the administrator password in plain text.
- Some mass actions do not check for permissions, allowing low level administrators to perform unauthorized actions.
- Some UI controllers do not check ACL properly, allowing low level administrators extract data they are not authorized to see.
- Some customer authenticated APIs are vulnerable to cross-site request forgery XSRF, allowing for phishing attacks.
- The 'Payments' module can disclose a custom admin path location. While not a security issue in itself, it can make it easier to perform password guessing and other attacks.
- Some of the requests returned by AJAX calls in the admin panel contain unnecessary configuration information that might expose sensitive system information.

Solution

Upgrade to Magento CE version 2.1.7 or later. If version 2.1.x cannot be obtained, version 2.0.14 has also been patched for these vulnerabilities.

See Also

https://magento.com/security/patches/magento-2.0.14-and-2.1.7-security-update

Plugin Details

Severity: High

ID: 700415

Family: CGI

Published: 2019/02/11

Updated: 2019/03/06

Dependencies: 9691

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:magento:magento

Patch Publication Date: 2017/05/31

Vulnerability Publication Date: 2017/05/31