MAGENTO SECURITY PATCH SUPEE-10888 RELEASED
SUPEE-10888, Magento Commerce 22.214.171.124 and Open Source 126.96.36.199 contain multiple security enhancements that help close cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 188.8.131.52-184.108.40.206: SUPEE-10888 or upgrade to Magento Commerce 220.127.116.11.
- Magento Open Source 18.104.22.168-22.214.171.124: SUPEE-10888 or upgrade to Magento Open Source 126.96.36.199.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: XML injection
|CVSSv3 Severity||Security Bug||Description|
|6.9||Authenticated Unauthorised Data Access Via Layout Injection||An administrator with limited permissions might be able to obtain information outside of his permissions.|
Issue Type: General: Cross Site Scripting (reflective)
|6.1||Reflective XSS against Admin Panel||Arbitrary JS can be triggered on the sales order grid page by manipulating one of the URL parameters.|
|6.1||Admin to Admin XSS in configurable custom attribute label||Administrator with limited permissions might be able to use XSS attack on another administrator.|
Issue Type: Privilege Escalation & Enumeration: Information Exposure
|5.9||Overwrite all Reviews||In specific configurations, it might be possible to overwrite reviews.|
|N/A||Reset password URL includes the customer ID||The reset password link for a customer account includes the customer ID. An attacker can use the customer ID to gain access to the customer account, despite the use of a token.|
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10888 patch, please contact our support team.