NEW MAGENTO SECURITY PATCH SUPEE-11155 RELEASED

Aakanksha Patel2024-11-20T21:30:04+00:00Categories: Magento|

NEW MAGENTO SECURITY PATCH SUPEE-11155 RELEASED

SUPEE-11155, Magento Commerce 1.14.4.2 and Open Source 1.9.4.2 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Patches and upgrades are available for the following Magento versions:

Magento Commerce 1.9.0.0-1.14.4.1: SUPEE-11155 or upgrade to Magento Commerce 1.14.4.2.
Magento Open Source 1.5.0.0-1.9.4.1: SUPEE-11155 or upgrade to Magento Open Source 1.9.4.2.

List of High CVSSv3 Severity Issues Addressed by this Security Patch

Arbitrary code execution in the advanced admin logging configuration – CVE-2019-7893
A user with administrator privileges and access to the advanced admin logging configuration can trigger remote code execution via PHP Object Injection.
Arbitrary code execution by importing malicious dataflow profiles – CVE-2019-7884 An authenticated user with privileges to edit block permission, import dataflow functionality, and modify CMS content can execute arbitrary code by importing malicious dataflow profiles.
Arbitrary code execution via crafted sitemap creation – CVE-2019-7932
An authenticated user with admin privileges to create sitemaps can execute arbitrary code by crafted filenames that include php extension within the XML filename.
PHP Object Injection in the Currency setup feature can lead to arbitrary code execution – CVE-2019-7914
A PHP Object Injection vulnerability in the currency setup feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.
PHP Object Injection in the Admin Actions Logging feature can lead to arbitrary code execution – CVE-2019-7946
A PHP Object Injection vulnerability in the admin actions logging configuration feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.
PHP Object Injection in the Model Design Package can lead to arbitrary code execution – CVE-2019-7906
A PHP Object Injection vulnerability in the model design package can be exploited by an authenticated user with administrator privileges to execute arbitrate code.
PHP Object Injection in the Enterprise Logging feature can lead to arbitrary code execution – CVE-2019-7905
A PHP Object Injection vulnerability in the enterprise logging configuration feature can be exploited by an authenticated user with administrator privileges to execute arbitrate code.
Remote code execution via dataflow import and catalog functionality – CVE-2019-7952
An authenticated user with admin privileges can execute arbitrary code via layout upates when using crafted combination of data flow import and catalog categories.
Arbitrary code execution due to unsafe handling of system configuration – CVE-2019-7911
An authenticated user with admin privileges to manipulate system configuration can execute arbitrary code through server-side request forgery.
Arbitrary code execution due to unsafe handling of payment bridge gateway – CVE-2019-7910
An authenticated user with admin privileges to manipulate payment methods can execute arbitrary code through server-side request forgery.
Arbitrary code execution due to unsafe deserialization of configuration fields – CVE-2019-7907
An authenticated user with configuration privileges can execute arbitrary code due to unserialization of user controlled configuration values.
Stored cross-site scripting in admin panel – CVE-2019-7909
A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.
Stored cross-site scripting in the admin panel – CVE-2019-7875
A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.
Stored cross-site scripting in the admin panel – CVE-2019-7933
A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript.Source: Magento

Source: Magento Security Patch

Book a time to Consult with our Certified Professionals

Related Posts

APSB24-90 Security Update

Adobe Releases Critical Security Update: APSB24-90

Hyvä Theme VS Luma Theme

Hyvä Theme vs. Luma Theme: Which One is Right for Your Magento Store?

Hyvä Theme SEO Benefits

How the Hyvä Theme Can Improve Core Web Vitals and Page Speed for Magento Stores

Cosmicsting Fallout

Security Alert: CosmicSting Bug Targets Adobe Commerce Stores in Massive Hack Attack

Bold Fastlane by PayPal

Upleveling your Checkout Game on Magento

Adobe Security Update APSB24-61

APSB24-61: Addressing the Latest Security Threat to Adobe Commerce and Magento Open Source

Adobe Security Update: APSB24-40

Urgent Security Update Released for Adobe Commerce and Magento Open Source: APSB24-40

Magento 2.4.7 Released Magento Open Source and Adobe Commerce

Magento 2.4.7 Released: Magento Open Source and Adobe Commerce

Urgent Security Update Released for Adobe Commerce and Magento Open Source: APSB24-18

Urgent Security Update Released for Adobe Commerce and Magento Open Source: APSB24-18

Urgent Security Update Released for Adobe Commerce and Magento Open Source APSB24

Urgent Security Update Released for Adobe Commerce and Magento Open Source: APSB24-03

Magento 2.4.7 Beta 1 Released Magento Open Source and Adobe Commerce

Magento 2.4.7-beta1 Released: Magento Open Source and Adobe Commerce

Adobe Commerce 2.4.6 - P1 Release Notes

Adobe Commerce 2.4.6-P1 Release Notes

Adobe Commerce vs Shopify Plus Which One Is Better for eCommerce Development

Adobe Commerce vs. Shopify Plus: Which One Is Better for eCommerce Development?

Adobe Commerce 2.4.5-P3 Release Notes

Adobe Commerce 2.4.5-P3 Release Notes

Magento Open Source and Adobe Commerce 2.4.6 Release Why You Need to Upgrade?

Magento Open Source and Adobe Commerce 2.4.6 Release: Why You Need to Upgrade?

Adobe Commerce (Magento) 2.4.6 Will Be Released on March 14th, 2023

Adobe Commerce (Magento) 2.4.6 Will Be Released on March 14th, 2023

The 15 Best Practices to Adhere to When Migrating to Magento 2

The 15 Best Practices to Adhere to When Migrating to Magento 2

What Are the Best Magento 2 Extensions for B2B Business

What Are the Best Magento 2 Extensions for B2B Business?

Meet Magento Florida 2023

The Largest Magento Event in the Southeast Is Set to Take Place February 15th-16th 2023

Meet Magento Florida 2023

The Largest Magento Event in the Southeast Is Set to Take Place February 15th-16th

Why Do You Need Magento Maintenance And Support After Launch

Why Do You Need Magento Maintenance And Support After Launch?

Adobe Commerce 2.4.5 Highlights – Why Do You Need To Upgrade?

Adobe Commerce 2.4.5 Highlights – Why Do You Need To Upgrade?

Magento Q4 2021 update of 2.4.3

Magento’s Q4 2021 update of 2.4.3-p1 and 2.3.7-p2

Top Magento Ranked 2021

Rave Digital Is Among Top Magento Development Companies

A Cookieless Future: The Key Takeaway from Adobe Summit 2021