Magento developers fixed 10-point RCE vulnerability

CMS Magento developers prepared a patch that fixes a 10-point RCE vulnerability in the e-commerce platform.

The update addresses the vulnerability CVE-2019-8144 in Magento Commerce 2.3.1 and 2.3.2, as well as in earlier versions of the Page Builder extension. The disadvantage is related to problems in implementing Page Builder preview methods and allows an unauthorized attacker to remotely download third-party scripts to the pages of the online store. The critical RCE-bug received from experts 10 points, a maximum point rating on the CVSS scale.

A month earlier, developers closed this problem with the release of Magento 2.2.10 and 2.3.3 for the Open Source and Commerce branches, as well as a special update from version 2.3.2-p1 to 2.3.2-p2.

The current patch is intended for those who, for whatever reason, cannot switch to the latest releases of the system.

“This vulnerability allows an unauthenticated user to insert a malicious payload on the seller’s website and launch it, so we recommend installing the update as soon as possible”, – report the developers and recommend that users not only install the patch, but upgrade to the latest version 2.3.3.

The update affects only the paid Magento product line; for sites running on outdated builds of a non-commercial engine, patches are not provided.

The developers note that the update closes the vulnerability, but does not eliminate the results of its operation. If the attackers managed to take advantage of the bug and embed their script on the site, administrators need to remove it themselves. The creators of the system recommend a thorough audit of the web resource to exclude the presence of malicious injections.

Read also: Magento may deprive support of more than 200 thousand sites

Installing the patch will make it impossible to edit individual email templates in Magento 2.3.1, however, this function will still be available when accessing them from the grid of these objects.

Users of the cloud version of the platform do not need to install the patch – Magento Commerce Cloud received updates automatically.

“System administrators will not be able to access the preview pages for products, blocks and dynamic blocks, but they promise to restore this feature in the near future”, – warn the Magento developers.