MAGENTO SECURITY PATCH SUPEE-10266 RELEASED
Categorized as : Security Patches
SUPEE-10266, Magento Commerce 1.14.3.6 and Open Source 1.9.3.6 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.
Patches and upgrades are available for the following Magento versions:
Note: SUPEE-10266 for Magento Commerce (Enterprise Edition) includes a fix for a functional issues MPERF-9685, related to checkout with a zero order amount. This fix is not included in release 1.14.3.6. However, in some cases, SUPEE-10266 can cause issues in the checkout process. Specifically, if a customer enables the Add gift options checkbox during checkout, the checkout process will not progress beyond the payments step. Magento released a fix for this issue as a new patch SUPEE-10348, that needs to be installed on top of SUPEE-10266.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Source: Magento
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10266 patch, please contact our support team.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 1.9.0.0-1.14.3.4: SUPEE-10266 or upgrade to Magento Commerce 1.14.3.6
- Magento Open Source 1.5.0.0-1.9.3.4: SUPEE-10266 or upgrade to Magento Open Source 1.9.3.6
Note: SUPEE-10266 for Magento Commerce (Enterprise Edition) includes a fix for a functional issues MPERF-9685, related to checkout with a zero order amount. This fix is not included in release 1.14.3.6. However, in some cases, SUPEE-10266 can cause issues in the checkout process. Specifically, if a customer enables the Add gift options checkbox during checkout, the checkout process will not progress beyond the payments step. Magento released a fix for this issue as a new patch SUPEE-10348, that needs to be installed on top of SUPEE-10266.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: Privilege Escalation
CVSSv3 Severity | Security Bug | Description |
6.7 (Medium) | RSS session admin cookie can be used to gain Magento administrator privileges. | An attacker can use a low privilege RSS session cookie to escalate privileges and gain access to the Magento Admin Portal. |
Issue Type: Remote Code Execution (RCE)
8.2 (High) | Remote Code Execution vulnerability in CMS and layouts | A Magento administrator with limited privileges can introduce malicious code when creating a new CMS Page, which could result in arbitrary remote code execution. |
5.8 (Medium) | Potential file uploads solely protected by .htaccess | An attacker can target non-Apache installations (for example, Nginx) to upload executable scripts that can be used to stage additional exploitations. |
Source: Magento
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10266 patch, please contact our support team.