MAGENTO SECURITY PATCH SUPEE-10266 RELEASED
SUPEE-10266, Magento Commerce 184.108.40.206 and Open Source 220.127.116.11 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 18.104.22.168-22.214.171.124: SUPEE-10266 or upgrade to Magento Commerce 126.96.36.199
- Magento Open Source 188.8.131.52-184.108.40.206: SUPEE-10266 or upgrade to Magento Open Source 220.127.116.11
Note: SUPEE-10266 for Magento Commerce (Enterprise Edition) includes a fix for a functional issues MPERF-9685, related to checkout with a zero order amount. This fix is not included in release 18.104.22.168. However, in some cases, SUPEE-10266 can cause issues in the checkout process. Specifically, if a customer enables the Add gift options checkbox during checkout, the checkout process will not progress beyond the payments step. Magento released a fix for this issue as a new patch SUPEE-10348, that needs to be installed on top of SUPEE-10266.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: Privilege Escalation
|CVSSv3 Severity||Security Bug||Description|
|6.7 (Medium)||RSS session admin cookie can be used to gain Magento administrator privileges.||An attacker can use a low privilege RSS session cookie to escalate privileges and gain access to the Magento Admin Portal.|
Issue Type: Remote Code Execution (RCE)
|8.2 (High)||Remote Code Execution vulnerability in CMS and layouts||A Magento administrator with limited privileges can introduce malicious code when creating a new CMS Page, which could result in arbitrary remote code execution.|
|5.8 (Medium)||Potential file uploads solely protected by .htaccess||An attacker can target non-Apache installations (for example, Nginx) to upload executable scripts that can be used to stage additional exploitations.|
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10266 patch, please contact our support team.