My Cart 0
Filters

MAGENTO SECURITY PATCH SUPEE-10266 RELEASED

SUPEE-10266, Magento Commerce 1.14.3.6 and Open Source 1.9.3.6 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.4: SUPEE-10266 or upgrade to Magento Commerce 1.14.3.6

  • Magento Open Source 1.5.0.0-1.9.3.4: SUPEE-10266 or upgrade to Magento Open Source 1.9.3.6


Note: SUPEE-10266 for Magento Commerce (Enterprise Edition) includes a fix for a functional issues MPERF-9685, related to checkout with a zero order amount. This fix is not included in release 1.14.3.6. However, in some cases, SUPEE-10266 can cause issues in the checkout process. Specifically, if a customer enables the Add gift options checkbox during checkout, the checkout process will not progress beyond the payments step. Magento released a fix for this issue as a new patch SUPEE-10348, that needs to be installed on top of SUPEE-10266.

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Privilege Escalation


 















CVSSv3 Severity Security Bug Description
6.7 (Medium) RSS session admin cookie can be used to gain Magento administrator privileges. An attacker can use a low privilege RSS session cookie to escalate privileges and gain access to the Magento Admin Portal.

 

Issue Type: Remote Code Execution (RCE)


 













8.2 (High) Remote Code Execution vulnerability in CMS and layouts A Magento administrator with limited privileges can introduce malicious code when creating a new CMS Page, which could result in arbitrary remote code execution.
5.8 (Medium) Potential file uploads solely protected by .htaccess An attacker can target non-Apache installations (for example, Nginx) to upload executable scripts that can be used to stage additional exploitations.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?


Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10266 patch, please contact our support team.