SUPEE-10888
September 10, 2018
SUPEE-10888, Magento Commerce 1.14.3.10 and Open Source 1.9.3.10 contain multiple security enhancements that help close cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.
Information on all the changes in 1.14.3.10 and 1.9.3.10 releases is available in the Magento Commerce and Magento Open Source release notes.
Patches and upgrades are available for the following Magento versions:
-
Magento Commerce 1.9.0.0-1.14.3.10: SUPEE-10888 or upgrade to Magento Commerce 1.14.3.10.
-
Magento Open Source 1.5.0.0-1.9.3.10: SUPEE-10888 or upgrade to Magento Open Source 1.9.3.10.
To download a patch or release, choose from the following options:
Partners:
|
Magento Commerce 1.14.3.10 |
Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Version 1.x Releases > Version 1.14.3.10 |
|
SUPEE-10888 |
Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – September 2018 |
Magento Commerce Merchants:
|
Magento Commerce 1.14.3.10 |
My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Version |
|
SUPEE-10888 |
My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – September 2018 |
Magento Open Source Merchants:
|
Magento Open Source 1.9.3.10 |
Magento Open Source Download Page > Release Archive Tab |
|
SUPEE-10888 |
Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section |
| APPSEC-2061: Authenticated Unauthorised Data Access Via Layout Injection | |
|---|---|
| Type: | XML injection |
| CVSSv3 Severity: | 6.9 |
| Known Attacks: | None |
| Description: | An administrator with limited permissions might be able to obtain information outside of his permissions. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | |
| APPSEC-1971: Reflective XSS against Admin Panel | |
|---|---|
| Type: | General: Cross Site Scripting (reflective) |
| CVSSv3 Severity: | 6.1 |
| Known Attacks: | None |
| Description: | Arbitrary JS can be triggered on the sales order grid page by manipulating one of the URL parameters. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | pocallaghan |
| APPSEC-2067: Admin to Admin XSS in configurable custom attribute label | |
|---|---|
| Type: | General: Cross Site Scripting (stored) |
| CVSSv3 Severity: | 5.9 |
| Known Attacks: | None |
| Description: | Administrator with limited permissions might be able to use XSS attack on another administrator. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | convenient |
| APPSEC-2066: Admin to Admin XSS in Catalog Attribute Media Label | |
|---|---|
| Type: | General: Cross Site Scripting (stored) |
| CVSSv3 Severity: | 5.9 |
| Known Attacks: | None |
| Description: | Administrator with limited permissions might be able to use XSS attack on another administrator. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | convenient |
| APPSEC-2060: Overwrite all Reviews | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Information Exposure |
| CVSSv3 Severity: | 5.9 |
| Known Attacks: | None |
| Description: | In specific configurations, it might be possible to overwrite reviews. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | pocallaghan |
| APPSEC-1859: Reset password URL includes the customer ID | |
|---|---|
| Type: | Privilege Escalation & Enumeration |
| CVSSv3 Severity: | N/A |
| Known Attacks: | None |
| Description: | The reset password link for a customer account includes the customer ID. An attacker can use the customer ID to gain access to the customer account, despite the use of a token. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10, Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6 |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888, Magento 2.1.15, Magento 2.2.6 |
| Reporter: | Internal |
| APPSEC-1730: Downloader does not force to use HTTPS | |
|---|---|
| Type: | Improvement |
| CVSSv3 Severity: | N/A |
| Known Attacks: | None |
| Description: | Downloader now will only use HTTPS connections. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | Internal |
| APPSEC-1936: Customer password recoverable from the database | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Information Exposure |
| CVSSv3 Severity: | N/A |
| Known Attacks: | None |
| Description: | Magento customer password recoverable from the database `sales_flat_quote` table. A malicious user can use a brute-force attack to recover the `global/secret/key` from the `app/etc/local.xml` file, upload a file, and then decrypt it. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | jeroenboersma |
| APPSEC-1933: Moxieplayer Redirect | |
|---|---|
| Type: | Security Misconfiguration: Misconfigured Browser Feature |
| CVSSv3 Severity: | N/A |
| Known Attacks: | None |
| Description: | A Moxieplayer redirect allows an open redirect to any site in an exploitable manner. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | todayisnew |
| APPSEC-2002: E-mail admin users when a new administrator is created. | |
|---|---|
| Type: | Improvement |
| CVSSv3 Severity: | N/A |
| Known Attacks: | None |
| Description: | Helps detect recently created admin accounts. Email is sent when new administrator account is created. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10, Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6 |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888, Magento 2.1.15, Magento 2.2.6 |
| Reporter: | Internal |
| APPSEC-1790: Possibility to inject XML via gift card registry | |
|---|---|
| Type: | XML Injection |
| CVSSv3 Severity: | N/A |
| Known Attacks: | None |
| Description: | Possibility to inject XML via gift card registry |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | Internal |
Please refer to Security Best Practices for additional information on how to secure your site.
Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.