Categories: Articles

Security Patches and Updates for Magento 1.x and 2.x Available Now

Critical Updates and SUPEE patches for your Magento stores 1.x and 2.x versions. Magento, following their routine of releasing security updates and patches to keep Magento secure and robust, have released security updates for 2.0.16 and 2.1.9. Along with that, SUPEE-10266, Mageno Commerce 1.4.3.6 and Open Source 1.9.3.6 is also available for download. The updates contain security enhancements for the Magento Open Source (formerly knows as Community Edition) and Magento Commerce (formerly known as Enterprise Edition). These are critical updates for your Magento stores, so it’s highly recommended that you install these immediately.

Magento Open Source 1.9.3.6 and SUPEE-10266

SUPEE-10266 contains fixes for several critical and functional security issues. Here are some functional issues the release claims to resolve:
  • RSS session admin cookie can be used to gain Magento administrator privileges.
  • Remote Code Execution vulnerability in CMS and layouts
  • Exposure of Magento secret key from app/etc/local.xml
  • Directory traversal in template configuration
  • CSRF + Stored Cross Site Scripting (customer group)
  • Admin Notification Stored XSS
  • Potential file uploads solely protected by .htaccess
  • CSRF + Stored Cross Site Scripting in newsletter template
  • XSS in admin order view using order status label in Magento
  • Customer Segment Delete Action uses GET instead of POST request
  • Order Item Custom Option Disclosure
  • Admin login does not handle autocomplete feature correctly
  • Secure cookie check to prevent MITM not expiring user sessions

Most Awaited Ebook Is HERE!

Let Us Take Care Of All Your M1 to M2 Migration Woes.

Magento Open Source 2.1.9 and 2.0.16

These updates enhance and improve your Magento’s security, and here are the vulnerabilities the update claims to resolve:
  • Remote Code Execution vulnerability in CMS and layouts
  • Arbitrary File Disclose
  • Arbitrary File Delete
  • Arbitrary file delete + Lack of input sanitization leading to Remote Code Execution
  • Order history disclosure
  • Overwrite a Relative Path in Sitemap
  • Setup pages expose sensitive data
  • CSRF + Stored Cross Site Scripting (customer group)
  • Security Issue with referrer
  • Stored XSS – Add new group in Attribute set name
  • Admin Notification Stored XSS
  • Potential file uploads solely protected by .htaccess
  • Customer login authenticates two different sessions
  • Customer registration through frontend does not have anti-CSRF protection
  • CMS Page Title Stored XSS
  • Anti-CSRF form_key is not changed after login
  • CSRF + Stored Cross Site Scripting in newsletter template
  • XSS in admin order view using order status label in Magento
  • Stored Cross-Site Scripting in email template bypass
  • Stored XSS on product thumbnail
  • Possible XSS in admin order view using order code label
  • Stored XSS using svg images in Favicon
  • Injection on Page leading to DoS
  • Stored XSS in integration activation
  • Any admin user can upload Favicon Icon
  • Stored XSS through customer group name in admin panel
  • Access Control Lists not validated when using quick edit mode in tables
  • Order Item Custom Option Disclosure
  • API token does not correctly expire
  • Anonymous users can view upgrade progress updates
  • Full Path Disclosure Web Root Directory
  • Admin login does not handle autocomplete feature correctly
  • Customer email enumeration through frontend login
  • Any user can interact with the sales order function despite not being authorized
It also carries support for following issues:
  • RSS session admin cookie can be used to gain Magento administrator privileges.
  • Remote Code Execution vulnerability in CMS and layouts
  • Exposure of Magento secret key from app/etc/local.xml
  • Directory traversal in template configuration
  • CSRF + Stored Cross Site Scripting (customer group)
  • Admin Notification Stored XSS
  • Potential file uploads solely protected by .htaccess
  • CSRF + Stored Cross Site Scripting in newsletter template
  • XSS in admin order view using order status label in Magento
  • Customer Segment Delete Action uses GET instead of POST request
  • Order Item Custom Option Disclosure
  • Admin login does not handle autocomplete feature correctly
  • Secure cookie check to prevent MITM not expiring user sessions
Do give the updates a spin before you deploy them on your Magento store just to be on the safe side. However, make sure that your stores are updated at the earliest!
Syed Muneeb Ul Hasan

Syed Muneeb Ul Hasan is an expert in PHP and Magento, he prefers to educate users in implementing and learning Magento. When not working, he loves to watch cricket.

Leave a Comment
Share
Published by
Syed Muneeb Ul Hasan
Tags: Magento 1.9.3.6Magento 2.0.16Magento 2.1.9Security PatchesSUPEE-10266
8 years ago

Recent Posts

How to Improve Customer Experience Using a CRM System?

Your greatest possible competitive advantage can be your clients and the interactions they have with… Read More

8 months ago

Which KPIs Matter Most in Digital Marketing Analytics?

Digital marketing KPIs are measurable values that marketing teams use to track progress toward desired… Read More

8 months ago

Top 5 Fraud Prevention and Detection Software to Safeguard Your Business

In today's digital age, fraud poses a significant threat to businesses of all sizes. As… Read More

11 months ago

A Guide to Understanding the Major Types of Financial Crimes in 2024

Financial crimes continue to evolve and proliferate in our increasingly digital, global economy. From complex… Read More

11 months ago

Building Employee Trust and Dedication – A Complete Guide

In the highly competitive modern workplace, trust, and employee loyalty are crucial factors for long-term… Read More

1 year ago

12 Winning Strategies for Small Businesses Marketing

In the ever-evolving world of small business developing and implementing effective marketing strategies is critical to… Read More

1 year ago

Tutorials

Resources

Quick Links