Security Patches and Updates for Magento 1.x and 2.x Available Now

Critical Updates and SUPEE patches for your Magento stores 1.x and 2.x versions.

Magento, following their routine of releasing security updates and patches to keep Magento secure and robust, have released security updates for 2.0.16 and 2.1.9. Along with that, SUPEE-10266, Mageno Commerce 1.4.3.6 and Open Source 1.9.3.6 is also available for download.

The updates contain security enhancements for the Magento Open Source (formerly knows as Community Edition) and Magento Commerce (formerly known as Enterprise Edition).

These are critical updates for your Magento stores, so it’s highly recommended that you install these immediately.

Magento Open Source 1.9.3.6 and SUPEE-10266

SUPEE-10266 contains fixes for several critical and functional security issues.

Here are some functional issues the release claims to resolve:

  • RSS session admin cookie can be used to gain Magento administrator privileges.
  • Remote Code Execution vulnerability in CMS and layouts
  • Exposure of Magento secret key from app/etc/local.xml
  • Directory traversal in template configuration
  • CSRF + Stored Cross Site Scripting (customer group)
  • Admin Notification Stored XSS
  • Potential file uploads solely protected by .htaccess
  • CSRF + Stored Cross Site Scripting in newsletter template
  • XSS in admin order view using order status label in Magento
  • Customer Segment Delete Action uses GET instead of POST request
  • Order Item Custom Option Disclosure
  • Admin login does not handle autocomplete feature correctly
  • Secure cookie check to prevent MITM not expiring user sessions

Magento Open Source 2.1.9 and 2.0.16

These updates enhance and improve your Magento’s security, and here are the vulnerabilities the update claims to resolve:

  • Remote Code Execution vulnerability in CMS and layouts
  • Arbitrary File Disclose
  • Arbitrary File Delete
  • Arbitrary file delete + Lack of input sanitization leading to Remote Code Execution
  • Order history disclosure
  • Overwrite a Relative Path in Sitemap
  • Setup pages expose sensitive data
  • CSRF + Stored Cross Site Scripting (customer group)
  • Security Issue with referrer
  • Stored XSS – Add new group in Attribute set name
  • Admin Notification Stored XSS
  • Potential file uploads solely protected by .htaccess
  • Customer login authenticates two different sessions
  • Customer registration through frontend does not have anti-CSRF protection
  • CMS Page Title Stored XSS
  • Anti-CSRF form_key is not changed after login
  • CSRF + Stored Cross Site Scripting in newsletter template
  • XSS in admin order view using order status label in Magento
  • Stored Cross-Site Scripting in email template bypass
  • Stored XSS on product thumbnail
  • Possible XSS in admin order view using order code label
  • Stored XSS using svg images in Favicon
  • Injection on Page leading to DoS
  • Stored XSS in integration activation
  • Any admin user can upload Favicon Icon
  • Stored XSS through customer group name in admin panel
  • Access Control Lists not validated when using quick edit mode in tables
  • Order Item Custom Option Disclosure
  • API token does not correctly expire
  • Anonymous users can view upgrade progress updates
  • Full Path Disclosure Web Root Directory
  • Admin login does not handle autocomplete feature correctly
  • Customer email enumeration through frontend login
  • Any user can interact with the sales order function despite not being authorized

It also carries support for following issues:

  • RSS session admin cookie can be used to gain Magento administrator privileges.
  • Remote Code Execution vulnerability in CMS and layouts
  • Exposure of Magento secret key from app/etc/local.xml
  • Directory traversal in template configuration
  • CSRF + Stored Cross Site Scripting (customer group)
  • Admin Notification Stored XSS
  • Potential file uploads solely protected by .htaccess
  • CSRF + Stored Cross Site Scripting in newsletter template
  • XSS in admin order view using order status label in Magento
  • Customer Segment Delete Action uses GET instead of POST request
  • Order Item Custom Option Disclosure
  • Admin login does not handle autocomplete feature correctly
  • Secure cookie check to prevent MITM not expiring user sessions

Do give the updates a spin before you deploy them on your Magento store just to be on the safe side. However, make sure that your stores are updated at the earliest!

About Author

Syed Muneeb Ul Hasan is an expert in PHP and Magento, he prefers to educate users in implementing and learning Magento. When not working, he loves to watch cricket.