MAGENTO SECURITY PATCH SUPEE-10415 RELEASED
SUPEE-10415, Magento Commerce 18.104.22.168 and Open Source 22.214.171.124 contain multiple security enhancements that help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities. These releases also include a fix for a prior customers that had experienced issues patching caused by SOAP v1 interactions in WSDL.
NOTE: Magento was recently informed about an issue with both patch SUPEE-10570 and Magento versions 126.96.36.199/188.8.131.52 that could result in the inability of customers to complete checkout when trying to register during checkout. Magento is now providing an updated patch (SUPEE-10570v2) that no longer causes this issue.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 184.108.40.206-220.127.116.11: SUPEE-10415 or upgrade to Magento Commerce 18.104.22.168.
- Magento Open Source 22.214.171.124-126.96.36.199: SUPEE-10415 or upgrade to Magento Open Source 188.8.131.52.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: Denial-of-Service (DOS)
|CVSSv3 Severity||Security Bug||Description|
|6.7 (Medium)||Unsanitized input leading to denial of service||A site visitor can create an account where one of the parameters will create a server denial-of-service.|
Issue Type: Cross-Site Scripting (XSS, stored)
|6.6 (Medium)||Stored XSS in Product Name field||An administrator with limited privileges can insert script in the product name field, potentially resulting in a stored cross-site scripting that affects other administrators.|
|6.1 (Medium)||Stored XSS in Visual Merchandiser||An administrator with limited privileges can create a stored-cross site scripting attack in the Visual Merchaniser system.|
Issue Type: Remote Code Execution (RCE)
|5.0(Medium)||Cross-site Scripting in CMS hierarchy||An administrator with limited privileges can insert script into the CMS hierarchy, which could potentially result in a stored cross-site scripting that affects other administrators.|
|8.2 (High)||Remote Code Execution by leveraging unsafe unserialization||An administrator with limited privileges can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution.|
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10415 patch, please contact our support team.