New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

SUPEE-10888

September 10, 2018

SUPEE-10888, Magento Commerce 1.14.3.10 and Open Source 1.9.3.10 contain multiple security enhancements that help close cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Information on all the changes in 1.14.3.10 and 1.9.3.10 releases is available in the Magento Commerce and Magento Open Source release notes.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.10: SUPEE-10888 or upgrade to Magento Commerce 1.14.3.10.

  • Magento Open Source 1.5.0.0-1.9.3.10: SUPEE-10888 or upgrade to Magento Open Source 1.9.3.10.

To download a patch or release, choose from the following options:

Partners:

Magento Commerce 1.14.3.10

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Version 1.x Releases > Version 1.14.3.10

SUPEE-10888

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – September 2018 

Magento Commerce Merchants:

Magento Commerce 1.14.3.10

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Version
1.x Releases > Version 1.14.3.10

SUPEE-10888

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – September 2018

Magento Open Source Merchants:

Magento Open Source 1.9.3.10

Magento Open Source Download Page > Release Archive Tab

SUPEE-10888

Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section

 

 

APPSEC-2061: Authenticated Unauthorised Data Access Via Layout Injection
Type:XML injection
CVSSv3 Severity:6.9
Known Attacks:None
Description:

An administrator with limited permissions might be able to obtain information outside of his permissions.

Product(s) Affected:Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10.
Fixed In:Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888
Reporter:
APPSEC-1971: Reflective XSS against Admin Panel
Type:General: Cross Site Scripting (reflective)
CVSSv3 Severity:6.1
Known Attacks:None
Description:

Arbitrary JS can be triggered on the sales order grid page by manipulating one of the URL parameters.

Product(s) Affected:Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10.
Fixed In:Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888
Reporter:pocallaghan
APPSEC-2067: Admin to Admin XSS in configurable custom attribute label
Type:General: Cross Site Scripting (stored)
CVSSv3 Severity:5.9
Known Attacks:None
Description:

Administrator with limited permissions might be able to use XSS attack on another administrator.

Product(s) Affected:Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10.
Fixed In:Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888
Reporter:convenient
APPSEC-2066: Admin to Admin XSS in Catalog Attribute Media Label
Type:General: Cross Site Scripting (stored)
CVSSv3 Severity:5.9
Known Attacks:None
Description:

Administrator with limited permissions might be able to use XSS attack on another administrator.

Product(s) Affected:Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10.
Fixed In:Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888
Reporter:convenient
APPSEC-2060: Overwrite all Reviews
Type:Privilege Escalation & Enumeration: Information Exposure
CVSSv3 Severity:5.9
Known Attacks:None
Description:

In specific configurations, it might be possible to overwrite reviews.

Product(s) Affected:Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10.
Fixed In:Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888
Reporter:pocallaghan
APPSEC-1859: Reset password URL includes the customer ID
Type:Privilege Escalation & Enumeration
CVSSv3 Severity:N/A
Known Attacks:None
Description:

The reset password link for a customer account includes the customer ID. An attacker can use the customer ID to gain access to the customer account, despite the use of a token.

Product(s) Affected:Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10, Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888, Magento 2.1.15, Magento 2.2.6
Reporter:Internal
APPSEC-1730: Downloader does not force to use HTTPS
Type:Improvement
CVSSv3 Severity:N/A
Known Attacks:None
Description:

Downloader now will only use HTTPS connections.

Product(s) Affected:Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10.
Fixed In:Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888
Reporter:Internal
APPSEC-1936: Customer password recoverable from the database
Type:Privilege Escalation & Enumeration: Information Exposure
CVSSv3 Severity:N/A
Known Attacks:None
Description:

Magento customer password recoverable from the database `sales_flat_quote` table. A malicious user can use a brute-force attack to recover the `global/secret/key` from the `app/etc/local.xml` file, upload a file, and then decrypt it.

Product(s) Affected:Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10.
Fixed In:Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888
Reporter:jeroenboersma
APPSEC-1933: Moxieplayer Redirect
Type:Security Misconfiguration: Misconfigured Browser Feature
CVSSv3 Severity:N/A
Known Attacks:None
Description:

A Moxieplayer redirect allows an open redirect to any site in an exploitable manner.

Product(s) Affected:Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10.
Fixed In:Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888
Reporter:todayisnew
APPSEC-2002: E-mail admin users when a new administrator is created.
Type:Improvement
CVSSv3 Severity:N/A
Known Attacks:None
Description:

Helps detect recently created admin accounts. Email is sent when new administrator account is created.

Product(s) Affected:Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10, Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In:Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888, Magento 2.1.15, Magento 2.2.6
Reporter:Internal
APPSEC-1790: Possibility to inject XML via gift card registry
Type:XML Injection
CVSSv3 Severity:N/A
Known Attacks:None
Description:

Possibility to inject XML via gift card registry

Product(s) Affected:Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10.
Fixed In:Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888
Reporter:Internal

Please refer to Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.