SUPEE-11086, Magento Commerce 1.14.4.1 and Open Source 1.9.4.1 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 1.9.0.0-1.14.4.0: SUPEE-11086 or upgrade to Magento Commerce 1.14.4.1.
- Magento Open Source 1.5.0.0-1.9.4.0: SUPEE-11086 or upgrade to Magento Open Source 1.9.4.1.
List of High CVSSv3 Severity Issues Addressed by this Security Patch
- SQL Injection vulnerability through an unauthenticated user:An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.
- Remote code execution via server side request forgery:
An authenticated user with administrative privileges to store configuration can execute arbitrary code via server side request forgery (SSRF) issued to Redis. SSRF is are facilitated through crafted gateway XML URL configuration. - Arbitrary code execution due to unsafe handling of a malicious product attribute configuration
An authenticated user with privileges to configure products can execute arbitrary PHP code. - Arbitrary code execution due to unsafe deserialization of a PHP archive
An authenticated user with administrative privileges can execute arbitrary code through a Phar deserialization vulnerability. - Arbitrary code execution due to unsafe handling of a malicious layout update
An authenticated user with privileges to the dataflow importer and catalog categories can execute arbitrary PHP code. - Remote code execution through PHP code that can be uploaded to the ngnix server due to crafted customer store attributes
An authenticated user with privileges to modify a customer’s store attributes can execute arbitrary code when allowed to upload PHP input files to the ngnix server. - Remote code execution through arbitrary XML data sent through a layout table
An authenticated user with administrative privileges to modify layouts can execute arbitrary code by injecting arbitrary XML data into a layout table. - Arbitrary code execution through bypass of PHP file upload restriction
An authenticated user with privileges to system configuration files can bypass file upload restrictions and allow arbitrary upload and execution of arbitrary PHP code. - Arbitary code execution due to bypass of layout validator
An authenticated user with privileges can bypass the layout validator and execute arbitrary code through layout updates in the Admin.
Source: Magento Patches