Magento Introduces New Versions and SUPEE-10266

by Fayyaz Khattak  September 15, 2017

Magento continues to be one of the most favoured ecommerce platforms. The key reason behind its popularity is the fact that team Magento regularly updates the core and fixes reported security issues in its latest releases.

On September 14, 2017, Magento released new updates that contain multiple security enhancements.These updates relate to Magento Open Source (formerly Community Edition) and Magento Commerce (formerly Enterprise Edition).

supee-10266

  • Magento Open Source and Magento Commerce 2.1.9 and 2.0.16
  • Magento Open Source 1.9.3.6, Magento Commerce 1.4.3.6 and SUPEE-10266

We highly recommend merchants and developers to upgrade their Magento stores to these versions as soon as possible. The new security patches can be installed by following this How to Guide for an older security patch.

If you haven’t already downloaded Magento, you can visit the Magento Tech Resources Page to download the latest versions of Magento 2.1, Magento 2.0, Magento 1.9, or SUPEE-10266.

Magento Open Source 2.1.9 and 2.0.16

Magento Open Source 2.1.9 and 2.0.16 contain multiple enhancements to improve the security of Magento platform. More details on vulnerabilities addressed by these patches are described below:

  • Remote Code Execution vulnerability in CMS and layouts
  • Arbitrary File Disclose
  • Arbitrary File Delete
  • Arbitrary file delete + Lack of input sanitization leading to Remote Code Execution
  • Order history disclosure
  • Overwrite a Relative Path in Sitemap
  • Setup pages expose sensitive data
  • CSRF + Stored Cross Site Scripting (customer group)
  • Security Issue with referrer
  • Stored XSS – Add new group in Attribute set name
  • Admin Notification Stored XSS
  • Potential file uploads solely protected by .htaccess
  • Customer login authenticates two different sessions
  • Customer registration through frontend does not have anti-CSRF protection
  • CMS Page Title Stored XSS
  • Anti-CSRF form_key is not changed after login
  • CSRF + Stored Cross Site Scripting in newsletter template
  • XSS in admin order view using order status label in Magento
  • Stored Cross-Site Scripting in email template bypass
  • Stored XSS on product thumbnail
  • Possible XSS in admin order view using order code label
  • Stored XSS using svg images in Favicon
  • Injection on Page leading to DoS
  • Stored XSS in integration activation
  • Any admin user can upload Favicon Icon
  • Stored XSS through customer group name in admin panel
  • Access Control Lists not validated when using quick edit mode in tables
  • Order Item Custom Option Disclosure
  • API token does not correctly expire
  • Anonymous users can view upgrade progress updates
  • Full Path Disclosure Web Root Directory
  • Admin login does not handle autocomplete feature correctly
  • Customer email enumeration through frontend login
  • Any user can interact with the sales order function despite not being authorized

Magento Open Source 1.9.3.6 and SUPEE-10266

The latest updates relate to SUPEE-10266, Magento Open Source 1.9.3.6. The patch (SUPEE-10266) provides fixes for several functional and multiple critical security issues.

This release provides support for the following functional issues:

  • RSS session admin cookie can be used to gain Magento administrator privileges.
  • Remote Code Execution vulnerability in CMS and layouts
  • Exposure of Magento secret key from app/etc/local.xml
  • Directory traversal in template configuration
  • CSRF + Stored Cross Site Scripting (customer group)
  • Admin Notification Stored XSS
  • Potential file uploads solely protected by .htaccess
  • CSRF + Stored Cross Site Scripting in newsletter template
  • XSS in admin order view using order status label in Magento
  • Customer Segment Delete Action uses GET instead of POST request
  • Order Item Custom Option Disclosure
  • Admin login does not handle autocomplete feature correctly
  • Secure cookie check to prevent MITM not expiring user sessions

It is important that you first test the new version or the patch to make sure they work without issue before deploying onto your site. Store owners should also make sure that their Magento extensions are up to date with the latest versions.

Start Creating Web Apps on Managed Cloud Servers Now!

Easy Web App Deployment for Agencies, Developers and E-Commerce Industry

About Fayyaz Khattak

Fayyaz is a Magento Community Manager at Cloudways - A Managed Magento Hosting Platform. His objective is to learn & share about PHP & Magento Development in Community. Fayyaz is a food lover and enjoys driving. You can email him at m.fayyaz@cloudways.com

Stay Connected:

You Might Also Like...