Magento updates, Protection against harmful administrators, data leaks, code execution

Updates Magento 2.1.9, 2.0.16, brought a lot of patches including XSS, CSRF, unauthorized data breaches, protection from administrators / store operators.
Even hooked Magento 1.x, 1.9.3.6 and 1.14.3.6 received updates.

For simplicity, call the bad administrator / operator - Odmin.
Update: Added description of how data leaks about ordered products.

Critical (1)

APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts
Literally: Audmin can write code that will be executed on the server. This is all thanks to the layouts in which code execution could be called. Once it was possible to write in Magento 1.x such a configuration, which allowed to show the contents of any file on the product page. Most likely, something very similar is used or one of the blocks allows you to set it a “harmful parameter”.
')

High risk (3)

APPSEC-1887 Odmin could read what was not worth reading.
APPSEC-1850 Audmin could remove something very important, stop the shop
APPSEC-1851 RCE Odmin could execute malicious code, we can imagine the consequences.

Medium risk (29)

APPSEC-1567 The buyer could get data about orders, after accessing some, but you need to try to make a cookie.
APPSEC-1769 Audmin could write the sitemap wrong
APPSEC-1713 You can get important data on system links
APPSEC-1852 XSS and CSRF Audmin could lay XSS and CSRF
APPSEC-1482 Ability to send "not there"
APPSEC-1502 XSS Audmin could name the type of goods
APPSEC-1494 XSS If someone between the server and xml with the news inserts your xml.
APPSEC-1793 CRE For servers with Nginx, you can upload and execute the file
APPSEC-1819 Interception of a client session that is not out of date
APPSEC-1802 CSRF Could Capture Customer Account Management
APPSEC-1493 XSS Code could be entered in the title of the page
APPSEC-1755 CSRF You could do things after the client logged in
APPSEC-1853 XSS and CSRF. Odmin could add in the mailing module
APPSEC-1729 XSS Audmin could add code in order status title
APPSEC-1591 XSS Odmin could lay a problem in pictures of goods
APPSEC-1896 XSS Audit could put a harmful code in the order
APPSEC-1673 XSS Audmin via SVG favicon to throw a problem
APPSEC-1773 DoS Audmin could specify a page ID when creating it to make it impossible to create new
APPSEC-1577 XSS Audmin could add code when activating integrations
APPSEC-1510 Audmin with limited rights could replace favicon
APPSEC-1545 XSS Odmin could write off the code in the client fields
APPSEC-1535 Audmin could edit values ​​through quick editing in tables.
APPSEC-1588 A pest could “merge” data on all previous orders during order placement
APPSEC-1701 Possible reuse of API sessions
APPSEC-1630 You could get acquainted with the status of the system update
APPSEC-1628 Getting an absolute path on the server
APPSEC-1599 Browser tries to use auto-substitution login to admin panel

Low risk (2)

APPSEC-1709 You could get admin mail
APPSEC-1495 Editing order field without viewing rights

Interesting attacks

Interestingly, they can work on Magento 1.x.
APPSEC-1793 nginx is very often used in combat systems.
APPSEC-1588 You could get information about customers of purchased goods from a competitor.
Using the identifiers of the order lines, we try to add the product to our basket by the line identifier from the order earlier, the product will be added.

It does not give time, order and date, but if you start to “follow” the store from the moment X, you can collect data about what customers bought since X. To collect such data, you need to regularly poll the system.

At time X, you need to know the ID of the last item ordered. You can also collect a database of best-selling goods store, if the goods are not removed.

Instead of ending
18 out of 35 vulnerabilities is an attack from the inside when the store administrator is harming themselves.

Agencies and module suppliers
It would be worth updating your demo booths, so that Odmin did not come.

Store owners
1. It is time to check the lists of administrators, so that the Odmins are not among them.
2. It would be worth updating, so as not to give order data to competitors or spammers .

→ Source

Patches can be viewed on Gitkhab: 2.015-2.0.16 and 2.1.8-2.1.9

Update: Added description of how data leaks about ordered products.