Magento SUPEE-9767 and Other New Security Updates

  • author-img Nidhi Arora
  • 8 years
Magento new security update

Yesterday, Magento officially announced two security updates on its website which were crucial to get to the attention of our audience. These updates include:

  • Adobe Commerce (magento commerce) Edition and Community Edition 2.0.14 and 2.1.7.
  • SUPEE-9767, Enterprise Edition 1.14.3.3 and Community Edition 1.9.3.3

Magento 2.0.14 and 2.1.7 Security Update

Magento 2.0.14 and 2.1.7 is a security update for Magento 2 that includes several security enhancements. Therefore, the merchants who have not downloaded a Magento 2.0 release yet should directly go for Adobe Commerce (magento commerce) Edition or Community Edition 2.1.7 because this version is more secure as a result of security related enhancements. It includes:

  • APPSEC-1686: Remote Code Execution in the Admin panel
  • APPSEC-1626: RCE in video upload
  • APPSEC-1746: Zend Mail vulnerability – continued
  • APPSEC-1565: Customer password hash exposed in admin
  • APPSEC-1559: Possible remote code execution in email reminders
  • APPSEC-1752: Stored XSS in admin panel
  • APPSEC-1699: API tokens not invalidated after disabling admin user
  • APPSEC-1632: Password shown in action log (EE only)
  • APPSEC-1663: Mass actions do not follow ACL
  • APPSEC-1661: UI controllers do not follow ACL
  • APPSEC-1679: APIs vulnerable to CSRF
  • APPSEC-1610: Custom admin path disclosure
  • APPSEC-1666: Information leak
  • APPSEC-1659: Vulnerabilities in JavaScript libraries
  • APPSEC-1622: Incorrect routing of requests

For full details you can read the Magento’s official release notes Magento 2.0.14 and 2.1.7 Security Update.

Security Patch SUPEE-9767

SUPEE-9767 is a new security patch for Magento 1, especially for the following Magento 1 versions:

  • Enterprise Edition 1.9.0.0-1.14.3.2
  • Community Edition 1.5.0.1-1.9.3.2

Therefore, the merchants with Enterprise Edition 1.9.0.0-1.14.3.2 should apply SUPEE-9767 security patch or upgrade to Enterprise Edition 1.14.3.3, and the merchants with Community Edition 1.5.0.1-1.9.3.2 should go for SUPEE-9767 security patch or upgrade to Community Edition 1.9.3.3. This security patch covers:

  • APPSEC-1281: Remote code execution through symlinks
  • APPSEC-1777: Remote Code Execution in DataFlow
  • APPSEC-1686: Remote Code Execution in the Admin panel
  • APPSEC-1320: SQL injection in Visual Merchandiser (Enterprise Edition)
  • APPSEC-1634: XSS in data fields
  • APPSEC-1759: XSS in Admin panel configuration
  • APPSEC-1549: CSRF after logout – form key not invalidated
  • APPSEC-1693: Bypassing ACLs in store configuration permissions
  • APPSEC-1677: Local File Disclosure for admin users with access to dataflow
  • APPSEC-1546: CSRF Vulnerability in Checkout feature
  • APPSEC-1597: Potential for user name enumeration
  • APPSEC-1695: CSRF cache management
  • APPSEC-1324: Customer passwords exposed in logs
  • APPSEC-1675: Cross-site Request Forgery Vulnerability in Enterprise Edition (EE) Invites
  • APPSEC-1659: Vulnerabilities in JavaScript libraries
  • APPSEC-1622: Incorrect routing of requests

To find out more about this new security patch of Magento, you can follow SUPEE-9767. So what are you waiting for? Update your Magento store with the latest upgrades or apply the latest security patch to make it more robust and secure.

For more information or need help regarding installation, you can contact us at info@envisionecommerce.com. We at Envision Ecommerce have successfully installed the security patches for over 80+ stores earlier. So, we are well aware to ensure your store security, and you can connect with our Magento services to do it fast & safe for you.

Download Blog

Free Webinar

Ready to start your eCommerce journey?

Get in Touch
ENQUIRY

Ready to Get Started?

Fill out the form and out team will get back to you
within 24 hours

    Head Office

    815 Brazos St STE 500, Austin,
    TX 78701, USA