Skip to content
/ Magento-APSB22-48-Security-Patches Public
forked from EmicoEcommerce/Magento-APSB22-48-Security-Patches

This repository contains potential security patches for the Magento APSB22-48 and CVE-2022-35698 security vulnerability

License

MIT license
0 stars 11 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mooore-digital/Magento-APSB22-48-Security-Patches

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

34 Commits
.idea
.idea
 
 
2.3.7-p2
2.3.7-p2
 
 
2.3.7-p3
2.3.7-p3
 
 
2.3.7-p4
2.3.7-p4
 
 
2.4.1
2.4.1
 
 
2.4.2-p1
2.4.2-p1
 
 
2.4.2-p2
2.4.2-p2
 
 
2.4.3-p1
2.4.3-p1
 
 
2.4.3-p2
2.4.3-p2
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

!!We're still analyzing the released patch and are in no means sure that these patches cover the entire solution for the newly found security vulnerabilities, use at your own risk. The best way to keep your Magento shop secure is to upgrade to the latest version.!!

Security patches for APSB22-48

This repository contains Magento 2 Patch Files for the recently found security issues on 12-10-2022. The patch files aim to fix the CVE-2022-35698 and CVE-2022-35689 vulnerabilities.

There is not much information about the exact fix which has been released in the newly released patch versions of Magento. To create these patch files we've tried our best to inspect the 2.4.4-p1...2.4.4-p2 diff and extract the possible security fixes which seems to be in the Magento template directives.

Contents

As of now the patch only applies a few fixes in the Magento/Framework/Filter namespace which have been extracted from the following commit: Patch Commit While inspecting this commit there also seem to be a lot of fixes in the Magento/Customer module, we're currently working on applying these changes aswell.

The magento/module-customer patch applies a fix to the Webapi for Customer creation and Customer Confirmation Controller.

  • The Webapi patch fixes an issue where it used to be possible to send multiple keys with different capitalized key fields thus possibly ignoring any validation made by Magento.
  • The Confirmation Controller is changed to cast a id POST parameter to an integer.

The magento/framework patch applies a fix to the CMS template directive parsing, a signature is added and a depth check. We think the cause could be issues with nested CMS directives in Magento 2 and certain customer data being exposed to a XSS attack.

Installation

Use a package such as cweagans/composer-patches or vaimo/composer-patches to apply the correct patch file to your Magento shop. The patches are to be applied to the magento/framework and magento/module-customer package. The correct patch file can be found within the folder corresponding to your Magento 2 version.

Contributing

Feel free to create missing patch files for your Magento 2 version and create a Pull Request!

About

This repository contains potential security patches for the Magento APSB22-48 and CVE-2022-35698 security vulnerability

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published