займ на картукредит онлайн

MAGENTO SECURITY PATCH SUPEE-8788 RELEASED

SUPEE-8788, Enterprise Edition 1.14.3 and Community Edition 1.9.3 address Zend framework and payment vulnerabilities, ensure sessions are invalidated after a user logs out, and make several other security enhancements that are detailed below.

Patches and upgrades are available for the following Magento versions:

  • Enterprise Edition 1.9.0.0-1.14.2.4: SUPEE-8788 or upgrade to Enterprise Edition 1.14.3
  • Community Edition 1.5.0.1-1.9.2.4: SUPEE-8788 or upgrade to Community Edition 1.9.3

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Remote Code Execution (RCE)

CVSSv3 Severity

Security Bug

Description

9.8 (Critical)

Remote Code Execution in checkout

With some payment methods it might be possible to execute malicious PHP code during checkout.

Issue Type: SQL Injection/Improper validation

CVSSv3 Severity

Security Bug

Description

9.1 (Critical)

SQL injection in Zend Framework

A bug in Zend Framework value escaping allows a malicious user to inject SQL through the ordering or grouping parameters. While there are no known frontend entry point vulnerabilities that would allow for a full SQL injection, we’ve found an entry point in the Magento Admin panel, and other entry points most likely exist.

Issue Type: Cross-Site Scripting (XSS) – Stored

CVSSv3 Severity

Security Bug

Description

8.2 (High)

Stored XSS in invitations

It is possible to use the Magento Enterprise Edition invitations feature to insert malicious JavaScript that might be executed in the admin context.

Issue Type: Information Leakage

CVSSv3 Severity

Security Bug

Description

7.7 (High)

Stored XSS in invitations

With access to any CMS functionality, an attacker with administrator permissions can use blocks to exfiltrate information stored in cache. This sensitive information includes store configuration, encryption key, and database connection details. Additionally, it might be possible to execute code.

Issue Type: Insufficient data protection

CVSSv3 Severity

Security Bug

Description

7.5 (High)

Log in as another customer

In certain configurations, it is possible to log in as existing store customer while knowing only his email address, not his password.

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-8788 patch, please contact our support team.

No Comments

Leave a Comment

Please be polite. We appreciate that.
Your email address will not be published and required fields are marked