MAGENTO SECURITY PATCH SUPEE-10415 RELEASED
Categorized as : Security Patches
SUPEE-10415, Magento Commerce 1.14.3.7 and Open Source 1.9.3.7 contain multiple security enhancements that help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities. These releases also include a fix for a prior customers that had experienced issues patching caused by SOAP v1 interactions in WSDL.
NOTE: Magento was recently informed about an issue with both patch SUPEE-10570 and Magento versions 1.9.3.8/1.14.3.8 that could result in the inability of customers to complete checkout when trying to register during checkout. Magento is now providing an updated patch (SUPEE-10570v2) that no longer causes this issue.
Patches and upgrades are available for the following Magento versions:
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Source: Magento
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10415 patch, please contact our support team.
NOTE: Magento was recently informed about an issue with both patch SUPEE-10570 and Magento versions 1.9.3.8/1.14.3.8 that could result in the inability of customers to complete checkout when trying to register during checkout. Magento is now providing an updated patch (SUPEE-10570v2) that no longer causes this issue.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 1.9.0.0-1.14.3.7: SUPEE-10415 or upgrade to Magento Commerce 1.14.3.7.
- Magento Open Source 1.5.0.0-1.9.3.7: SUPEE-10415 or upgrade to Magento Open Source 1.9.3.7.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: Denial-of-Service (DOS)
CVSSv3 Severity | Security Bug | Description |
6.7 (Medium) | Unsanitized input leading to denial of service | A site visitor can create an account where one of the parameters will create a server denial-of-service. |
Issue Type: Cross-Site Scripting (XSS, stored)
6.6 (Medium) | Stored XSS in Product Name field | An administrator with limited privileges can insert script in the product name field, potentially resulting in a stored cross-site scripting that affects other administrators. |
6.1 (Medium) | Stored XSS in Visual Merchandiser | An administrator with limited privileges can create a stored-cross site scripting attack in the Visual Merchaniser system. |
Issue Type: Remote Code Execution (RCE)
5.0(Medium) | Cross-site Scripting in CMS hierarchy | An administrator with limited privileges can insert script into the CMS hierarchy, which could potentially result in a stored cross-site scripting that affects other administrators. |
8.2 (High) | Remote Code Execution by leveraging unsafe unserialization | An administrator with limited privileges can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution. |
Source: Magento
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10415 patch, please contact our support team.