New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

SUPEE-10266

September 14, 2017

SUPEE-10266, Magento Commerce 1.14.3.6 and Open Source 1.9.3.6 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.

Information on all the changes in 1.14.3.6 and 1.9.3.6 releases is available in the Magento Commerce and Magento Open Source release notes.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.4: SUPEE-10266 or upgrade to Magento Commerce 1.14.3.6

  • Magento Open Source 1.5.0.0-1.9.3.4: SUPEE-10266 or upgrade to Magento Open Source 1.9.3.6

Note: SUPEE-10266 for Magento Commerce (Enterprise Edition) includes a fix for a functional issues MPERF-9685, related to checkout with a zero order amount. This fix is not included in release 1.14.3.6. However, in some cases, SUPEE-10266 can cause issues in the checkout process. Specifically, if a customer enables the Add gift options checkbox during checkout, the checkout process will not progress beyond the payments step. Magento released a fix for this issue as a new patch SUPEE-10348, that needs to be installed on top of SUPEE-10266. 

To download a patch or release, choose from the following options:

Partners:

Magento Commerce 1.14.3.6

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Version 1.x Releases > Version 1.14.3.6

SUPEE-10266

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – September 2017 

Magento Commerce Merchants:

Magento Commerce 1.14.3.6

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Version
1.x Releases > Version 1.14.3.6

SUPEE-10266

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – September 2017

Magento Open Source Merchants:

Magento Open Source 1.9.3.6

Magento Open Source Download Page > Release Archive Tab

SUPEE-10266

Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section

 

 

APPSEC-1838: RSS session admin cookie can be used to gain Magento administrator privileges.
Type:Privilege Escalation
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

An attacker can use a low privilege RSS session cookie to escalate privileges and gain access to the Magento Admin Portal.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266
Reporter:gwillem
APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

A Magento administrator with limited privileges can introduce malicious code when creating a new CMS Page, which could result in arbitrary remote code execution.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:dhln
APPSEC-1835: Exposure of Magento secret key from app/etc/local.xml
Type:Information Leak (system)
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges can create content that references and exposes sensitive Magento installation information that could be leveraged in further exploitation.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266
Reporter:Jeroen Boersma
APPSEC-1757: Directory traversal in template configuration
Type:Information Leak (system)
CVSSv3 Severity:6.1 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can force Magento store notifications to include internal system files.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266
Reporter:Nashcontrol
APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group)
Type:CSRF, XSS (stored)
CVSSv3 Severity:6.0 (Medium)
Known Attacks:None
Description:

A Magento administrator with limited privileges can exploit a vulnerability in the customer group to create a URL that can be used as part of CSRF attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:Boskostan
APPSEC-1494: AdminNotification Stored XSS
Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:5.9 (Medium)
Known Attacks:None
Description:

An attacker with the ability to launch a Man-in-the-middle attack on a network connection could inject code on the Magento Admin RSS feed.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:lleber
APPSEC-1793: Potential file uploads solely protected by .htaccess
Type:Remote Code Execution (RCE)
CVSSv3 Severity:5.8 (Medium)
Known Attacks:None
Description:

An attacker can target non-Apache installations (for example, Nginx) to upload executable scripts that can be used to stage additional exploitations.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template
Type:CSRF, XSS (stored)
CVSSv3 Severity:5.5 (Medium)
Known Attacks:None
Description:

A Magento administrator with limited privileges can exploit a vulnerability in the newsletter template to create a URL that can be used as part of a CSRF attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:Boskostan
APPSEC-1729: XSS in admin order view using order status label in Magento
Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:5.5 (Medium)
Known Attacks:None
Description:

An administrator can inject code in sales order records, which can result in an XSS attack on anyone that views the page.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:fabian
APPSEC-1579: Customer Segment Delete Action uses GET instead of POST request
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:5.1 (Medium)
Known Attacks:None
Description:

A Magento administrator can perform malicious actions through an inadequate security check of the form key in the customer segment page.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1588: Order Item Custom Option Disclosure
Type:Information Leak (order)
CVSSv3 Severity:4.9 (Medium)
Known Attacks:None
Description:

An attacker can craft a URL request on a Magento site during checkout and retrieve information about past orders.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:Peter O'Callaghan
APPSEC-1599: Admin login does not handle autocomplete feature correctly
Type:Information Leak (system)
CVSSv3 Severity:4.1 (Medium)
Known Attacks:None
Description:

Several fields in the Admin panel do not correctly handle autocomplete, which could result in a potential information leak when a browser tries to autocomplete the field.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9
Reporter:Internal
APPSEC-1688: Secure cookie check to prevent MITM not expiring user sessions
Type:Insufficient Session Expiration
CVSSv3 Severity:3.8 (Low)
Known Attacks:None
Description:

Magento does not properly validate session cookies, or cause them to expire, which potentially permits visitors to use expired cookies to interact with a store.

Product(s) Affected:Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6
Fixed In:Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266
Reporter:jay-d

Please refer to Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.