Magento Commerce und Open Source 2.2.3, 2.1.12 und 2.0.18 enthalten mehrere Sicherheitsverbesserungen, die Cross-Site Scripting (XSS), authentifizierte Remotecodeausführung (RCE) von Admin-Benutzern und andere Sicherheitslücken schließen. Die Releases enthalten zusätzliche funktionale Fixes. Um mehr über die funktionalen Fixes zu erfahren, lesen Sie bitte Release Notes für Magento Commerce 2.0.18, 2.1.12, 2.2.3 und Magento Open Source 2.0.18, 2.1.12, 2.2.3.
Magento Neuinstallationen
Händler, die noch keine Magento 2-Version heruntergeladen haben, sollten direkt die Magento Commerce oder Open Source Version 2.2.3 verwenden.
Geschlossenen Sicherheitslücken
Folgende Sicherheitslücken werden durch das Update geschlossen:
- APPSEC-1951: JavaScript execution in the administrator panel
- APPSEC-1952: Remote Code Execution using media upload
- APPSEC-1865: Cross-Site Scripting in customer information
- APPSEC-1907: Cross-site Scripting in Customer Address
- APPSEC-1935: Cros-site Scripting leading to Denial-of-Service
- APPSEC-1977: Common Server Misconfiguration causes data leak
- APPSEC-1901: Local file inclusion in customer view
- APPSEC-1944: CSRF in Store Backups
- APPSEC-1986: Local file inclusion in import history
- APPSEC-1929: Path Traversal in Image Upload
- APPSEC-1960: Path Traversal in static.php file
- APPSEC-1879: Cross-site Scripting in Downloadable Products
- APPSEC-1891: Cross-site Scripting in Admin Shipment tracking
- APPSEC-1905: Cross-site Scripting in detailed rating
- APPSEC-1906: Cross-site Scripting in System Configuration
- APPSEC-1908/1948: Cross-site Scripting in custom variable
- APPSEC-1916: Cross-site Scripting in Attribute Group Name
- APPSEC-1928: Cross-site Scripting in Downloadable Product Link
- APPSEC-1944: Cross-site Scripting in Date fields
- APPSEC-1945: Cross-site Scripting in Product SKU
- APPSEC-1947: Cross-site Scripting in RMA functionality
- APPSEC-1973: Cross-site Scripting in Newsletter Template
- APPSEC-1873/1979/1980: Cross-site Scripting in Site Settings
- APPSEC-1995: Cross-site Scripting in Downloadable Products
- APPSEC-1998: Cross-site Scripting in Product Attributes
- APPSEC-1878/1890: Cross-site Scripting in CMS hierarchy
- APSSEC-1488: Cross-site Scripting in Status Message (continuation)
- APPSEC-1272: No CSRF Protection in Order Printing
- APPSEC-1889: CSRF Protection Bypass
- APPSEC-1553: Access to Gift Registries of Other Users
- APPSEC-1937: Information Exposure
- APPSEC-1895: Information Exposure
- APPSEC-1967: Password Change Session Management
- APPSEC-1972: Password Reset Session Management
Stellen Sie sicher, dass Sie den Patch in einer Entwicklungsumgebung implementieren und testen, um sicherzustellen, dass er wie erwartet funktioniert, bevor Sie ihn in einer Produktionsumgebung bereitstellen.