MAGENTO SECURITY PATCH SUPEE-10752 RELEASED
Categorized as : Security Patches
SUPEE-10752, Magento Commerce 1.14.3.9 and Open Source 1.9.3.9 contain multiple security enhancements that help close authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF) and other vulnerabilities.
NOTE: Conflicts during installation of the patch SUPEE-10752 are caused most often by having version 1 of the previous patch installed (SUPEE-10570v1). Please make sure to remove SUPEE-10570v1 and install SUPEE-10570v2 prior to installation of SUPEE-10752.
Patches and upgrades are available for the following Magento versions:
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Source: Magento
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10752 patch, please contact our support team.
NOTE: Conflicts during installation of the patch SUPEE-10752 are caused most often by having version 1 of the previous patch installed (SUPEE-10570v1). Please make sure to remove SUPEE-10570v1 and install SUPEE-10570v2 prior to installation of SUPEE-10752.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 1.9.0.0-1.14.3.9: SUPEE-10752 or upgrade to Magento Commerce 1.14.3.9.
- Magento Open Source 1.5.0.0-1.9.3.9: SUPEE-10752 or upgrade to Magento Open Source 1.9.3.9.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: Remote Code Execution (RCE)
CVSSv3 Severity | Security Bug | Description |
9.8 (Critical) | Authenticated Remote Code Execution (RCE) using custom layout XML | Admin users with permission to manage products can use custom layout XML to copy any file to any location. |
9.8 (Critical) | Authenticated Remote Code Execution (RCE) through the Create New Order feature (Commerce only) | Users with permission to generate sales orders from the Admin panel can use gift card functionality to manipulate request data and inject a malicious string that is later unserialized. |
8.9 (High) | PHP Object Injection and RCE in the Magento admin panel (Commerce Target Rule module) | An administrator user with access to the Enterprise Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution. |
8.9 (High) | PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce) | An administrator user with access to the Commerce Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution. |
Issue Type: SQL Injection (SQLi)
8.2 (High) | Authenticated SQL Injection when saving a category | Arbitrary JS can be triggered on the sales order grid page by manipulating one of the URL parameters. |
8.2(High) | Admin to Admin XSS in configurable custom attribute label | By manipulating request data when saving a category, a user can insert a malicious string into the database that can be used in a subsequent request to perform SQL injection. This injected code can be used to trigger arbitrary (with the proviso they fit in the 255 char field) insert and update commands. |
Issue Type: Cross Site Request Forgery (CSRF)
7.4 (High) | CSRF is possible against Web sites, Stores, and Store Views | Multiple CSRF vulnerabilities allow for deleting websites, stores or store views. |
Issue Type: Security Implementation Flaw
7.4 (High) | The cron.php file can leak database credentials | The cron.php file can leak database credentials if it is not able to establish a connection to the database. |
Source: Magento
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10752 patch, please contact our support team.