GHSA-mcfc-67vm-j568: 
PHP vulnerability analysis and mitigation

Magento Commerce and Open Source versions 2.2.6 and 2.1.15 were identified with multiple security vulnerabilities, primarily focusing on Cross-Site Scripting (XSS) issues. The vulnerability affects Magento Community Edition versions >= 2.1, < 2.1.15 and >= 2.2, < 2.2.6, with patches released in versions 2.1.15 and 2.2.6 on September 10, 2018 (Magento Security).

The security update addresses multiple vulnerabilities including Cross-Site Scripting (XSS) and Remote Code Execution (RCE) issues. Notable vulnerabilities include RCE via Varnish settings in admin (CVSS 9.8), Stored XSS from website to admin in global search (CVSS 9.6), and PHP file upload vulnerability via custom options (CVSS 8.9). The issues range from high-severity remote code execution possibilities to information exposure vulnerabilities (Magento Security).

The vulnerabilities could allow attackers to execute remote code, perform cross-site scripting attacks, access unauthorized information, and potentially take over admin accounts. The most severe impact includes the ability to read any file on the server and execute commands through Varnish, as well as the possibility of stored XSS attacks targeting admin accounts (Magento Security).

The vulnerabilities were addressed in Magento versions 2.1.15 and 2.2.6. Users are advised to upgrade to these patched versions. For those unable to update immediately, it's recommended to follow Magento's Security Best Practices and implement additional security measures (Magento Security).