MAGENTO SECURITY PATCH SUPEE-10752 RELEASED
SUPEE-10752, Magento Commerce 22.214.171.124 and Open Source 126.96.36.199 contain multiple security enhancements that help close authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF) and other vulnerabilities.
NOTE: Conflicts during installation of the patch SUPEE-10752 are caused most often by having version 1 of the previous patch installed (SUPEE-10570v1). Please make sure to remove SUPEE-10570v1 and install SUPEE-10570v2 prior to installation of SUPEE-10752.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 188.8.131.52-184.108.40.206: SUPEE-10752 or upgrade to Magento Commerce 220.127.116.11.
- Magento Open Source 18.104.22.168-22.214.171.124: SUPEE-10752 or upgrade to Magento Open Source 126.96.36.199.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: Remote Code Execution (RCE)
|CVSSv3 Severity||Security Bug||Description|
|9.8 (Critical)||Authenticated Remote Code Execution (RCE) using custom layout XML||Admin users with permission to manage products can use custom layout XML to copy any file to any location.|
|9.8 (Critical)||Authenticated Remote Code Execution (RCE) through the Create New Order feature (Commerce only)||Users with permission to generate sales orders from the Admin panel can use gift card functionality to manipulate request data and inject a malicious string that is later unserialized.|
|8.9 (High)||PHP Object Injection and RCE in the Magento admin panel (Commerce Target Rule module)||An administrator user with access to the Enterprise Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution.|
|8.9 (High)||PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce)||An administrator user with access to the Commerce Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution.|
Issue Type: SQL Injection (SQLi)
|8.2 (High)||Authenticated SQL Injection when saving a category||Arbitrary JS can be triggered on the sales order grid page by manipulating one of the URL parameters.|
|8.2(High)||Admin to Admin XSS in configurable custom attribute label||By manipulating request data when saving a category, a user can insert a malicious string into the database that can be used in a subsequent request to perform SQL injection. This injected code can be used to trigger arbitrary (with the proviso they fit in the 255 char field) insert and update commands.|
Issue Type: Cross Site Request Forgery (CSRF)
|7.4 (High)||CSRF is possible against Web sites, Stores, and Store Views||Multiple CSRF vulnerabilities allow for deleting websites, stores or store views.|
Issue Type: Security Implementation Flaw
|7.4 (High)||The cron.php file can leak database credentials||The cron.php file can leak database credentials if it is not able to establish a connection to the database.|
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10752 patch, please contact our support team.