Magento SUPEE-9767 and Other New Security Updates

  • Posted by Envision Ecommerce
  • /
  • June 1, 2017
Magento new security update

Yesterday, Magento officially announced two security updates on its website which were crucial to get to the attention of our audience. These updates include:

  • Magento Enterprise Edition and Community Edition 2.0.14 and 2.1.7.
  • SUPEE-9767, Enterprise Edition 1.14.3.3 and Community Edition 1.9.3.3

Magento 2.0.14 and 2.1.7 Security Update

Magento 2.0.14 and 2.1.7 is a security update for Magento 2 that includes several security enhancements. Therefore, the merchants who have not downloaded a Magento 2.0 release yet should directly go for Magento Enterprise Edition or Community Edition 2.1.7 because this version is more secure as a result of security related enhancements. It includes:

  • APPSEC-1686: Remote Code Execution in the Admin panel
  • APPSEC-1626: RCE in video upload
  • APPSEC-1746: Zend Mail vulnerability – continued
  • APPSEC-1565: Customer password hash exposed in admin
  • APPSEC-1559: Possible remote code execution in email reminders
  • APPSEC-1752: Stored XSS in admin panel
  • APPSEC-1699: API tokens not invalidated after disabling admin user
  • APPSEC-1632: Password shown in action log (EE only)
  • APPSEC-1663: Mass actions do not follow ACL
  • APPSEC-1661: UI controllers do not follow ACL
  • APPSEC-1679: APIs vulnerable to CSRF
  • APPSEC-1610: Custom admin path disclosure
  • APPSEC-1666: Information leak
  • APPSEC-1659: Vulnerabilities in JavaScript libraries
  • APPSEC-1622: Incorrect routing of requests

For full details you can read the Magento’s official release notes Magento 2.0.14 and 2.1.7 Security Update.

Security Patch SUPEE-9767

SUPEE-9767 is a new security patch for Magento 1, especially for the following Magento 1 versions:

  • Enterprise Edition 1.9.0.0-1.14.3.2
  • Community Edition 1.5.0.1-1.9.3.2

Therefore, the merchants with Enterprise Edition 1.9.0.0-1.14.3.2 should apply SUPEE-9767 security patch or upgrade to Enterprise Edition 1.14.3.3, and the merchants with Community Edition 1.5.0.1-1.9.3.2 should go for SUPEE-9767 security patch or upgrade to Community Edition 1.9.3.3. This security patch covers:

  • APPSEC-1281: Remote code execution through symlinks
  • APPSEC-1777: Remote Code Execution in DataFlow
  • APPSEC-1686: Remote Code Execution in the Admin panel
  • APPSEC-1320: SQL injection in Visual Merchandiser (Enterprise Edition)
  • APPSEC-1634: XSS in data fields
  • APPSEC-1759: XSS in Admin panel configuration
  • APPSEC-1549: CSRF after logout – form key not invalidated
  • APPSEC-1693: Bypassing ACLs in store configuration permissions
  • APPSEC-1677: Local File Disclosure for admin users with access to dataflow
  • APPSEC-1546: CSRF Vulnerability in Checkout feature
  • APPSEC-1597: Potential for user name enumeration
  • APPSEC-1695: CSRF cache management
  • APPSEC-1324: Customer passwords exposed in logs
  • APPSEC-1675: Cross-site Request Forgery Vulnerability in Enterprise Edition (EE) Invites
  • APPSEC-1659: Vulnerabilities in JavaScript libraries
  • APPSEC-1622: Incorrect routing of requests

To find out more about this new security patch of Magento, you can follow SUPEE-9767. So what are you waiting for? Update your Magento store with the latest upgrades or apply the latest security patch to make it more robust and secure.

For more information or need help regarding installation, you can contact us at [email protected]. We at Envision Ecommerce have successfully installed the security patches for over 80+ stores earlier. So, we are well aware to ensure your store security, and you can connect with our Magento services to do it fast & safe for you.