My Cart


SUPEE-10888, Magento Commerce and Open Source contain multiple security enhancements that help close cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce SUPEE-10888 or upgrade to Magento Commerce

  • Magento Open Source SUPEE-10888 or upgrade to Magento Open Source

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: XML injection


CVSSv3 Severity Security Bug Description
6.9 Authenticated Unauthorised Data Access Via Layout Injection An administrator with limited permissions might be able to obtain information outside of his permissions.


Issue Type: General: Cross Site Scripting (reflective)


6.1 Reflective XSS against Admin Panel Arbitrary JS can be triggered on the sales order grid page by manipulating one of the URL parameters.
6.1 Admin to Admin XSS in configurable custom attribute label Administrator with limited permissions might be able to use XSS attack on another administrator.


Issue Type: Privilege Escalation & Enumeration: Information Exposure


5.9 Overwrite all Reviews In specific configurations, it might be possible to overwrite reviews.
N/A Reset password URL includes the customer ID The reset password link for a customer account includes the customer ID. An attacker can use the customer ID to gain access to the customer account, despite the use of a token.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10888 patch, please contact our support team.