My Cart


SUPEE-8788, Enterprise Edition 1.14.3 and Community Edition 1.9.3 address Zend framework and payment vulnerabilities, ensure sessions are invalidated after a user logs out, and make several other security enhancements that are detailed below.

Patches and upgrades are available for the following Magento versions:

  • Enterprise Edition SUPEE-8788 or upgrade to Enterprise Edition 1.14.3

  • Community Edition SUPEE-8788 or upgrade to Community Edition 1.9.3

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Remote Code Execution (RCE)


CVSSv3 Severity Security Bug Description
9.8 (Critical) Remote Code Execution in checkout With some payment methods it might be possible to execute malicious PHP code during checkout.

Issue Type: SQL Injection/Improper validation


CVSSv3 Severity Security Bug Description
9.1 (Critical) SQL injection in Zend Framework A bug in Zend Framework value escaping allows a malicious user to inject SQL through the ordering or grouping parameters. While there are no known frontend entry point vulnerabilities that would allow for a full SQL injection, we’ve found an entry point in the Magento Admin panel, and other entry points most likely exist.

Issue Type: Cross-Site Scripting (XSS) - Stored


CVSSv3 Severity Security Bug Description
8.2 (High) Stored XSS in invitations It is possible to use the Magento Enterprise Edition invitations feature to insert malicious JavaScript that might be executed in the admin context.

Issue Type: Information Leakage


CVSSv3 Severity Security Bug Description
7.7 (High) Stored XSS in invitations With access to any CMS functionality, an attacker with administrator permissions can use blocks to exfiltrate information stored in cache. This sensitive information includes store configuration, encryption key, and database connection details. Additionally, it might be possible to execute code.

Issue Type: Insufficient data protection


CVSSv3 Severity Security Bug Description
7.5 (High) Log in as another customer In certain configurations, it is possible to log in as existing store customer while knowing only his email address, not his password.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-8788 patch, please contact our support team.