MAGENTO SECURITY PATCH SUPEE-10888 RELEASED
Categorized as : Security Patches
SUPEE-10888, Magento Commerce 1.14.3.10 and Open Source 1.9.3.10 contain multiple security enhancements that help close cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.
Patches and upgrades are available for the following Magento versions:
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Source: Magento
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10888 patch, please contact our support team.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 1.9.0.0-1.14.3.10: SUPEE-10888 or upgrade to Magento Commerce 1.14.3.10.
- Magento Open Source 1.5.0.0-1.9.3.10: SUPEE-10888 or upgrade to Magento Open Source 1.9.3.10.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: XML injection
CVSSv3 Severity | Security Bug | Description |
6.9 | Authenticated Unauthorised Data Access Via Layout Injection | An administrator with limited permissions might be able to obtain information outside of his permissions. |
Issue Type: General: Cross Site Scripting (reflective)
6.1 | Reflective XSS against Admin Panel | Arbitrary JS can be triggered on the sales order grid page by manipulating one of the URL parameters. |
6.1 | Admin to Admin XSS in configurable custom attribute label | Administrator with limited permissions might be able to use XSS attack on another administrator. |
Issue Type: Privilege Escalation & Enumeration: Information Exposure
5.9 | Overwrite all Reviews | In specific configurations, it might be possible to overwrite reviews. |
N/A | Reset password URL includes the customer ID | The reset password link for a customer account includes the customer ID. An attacker can use the customer ID to gain access to the customer account, despite the use of a token. |
Source: Magento
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10888 patch, please contact our support team.