Help & Resource Center

Magento 1.X Security Patch Bundle - October 2016

October 11, 2016

Today Magento released a mega patch, SUPEE-8788, that addresses several vulnerabilities in Magento Enterprise Edition 1.14.3 and Community Edition 1.9.3.  You can read more about this patch here:

Modern Retail will be implementing this patch on your website as soon as possible.

Magento Patch SUPEE-8788

The following are the security problems addressed in this patch:

  • APPSEC-1484 - Remote Code Execution in checkout
    • Severity = 9.8 (Critical)
  • APPSEC-1480 - SQL injection in Zend Framework
    • Severity = 9.1 (Critical)
  • APPSEC-1488 - Stored XSS in invitations
    • Severity = 8.2 (High)
  • APPSEC-1247 - Block cache exploit
    • Severity = 7.7 (High)
  • APPSEC-1517 - Log in as another customer
    • Severity = 7.5 (High)
  • APPSEC-1375 - Remote Code Execution in admin
    • Severity = 6.5 (Medium)
  • APPSEC-1338 - Full Page Cache poisoning
    • Severity = 6.5 (Medium)
  • APPSEC-1436 - XSS vulnerability in URL processing
    • Severity = 6.1 (Medium)
  • APPSEC-1211 - XSS in categories management
    • Severity = 6.1 (Medium)
  • APPSEC-1058 - GIF flooding
    • Severity = 5.3 (Medium)
  • APPSEC-666 - Cross-site scripting in Flash file uploader
    • Severity = 5.3 (Medium)
  • APPSEC-1282: Filter avoidance
    • Severity = 4.9 (Medium)
  • APPSEC-327 - CSRF in several forms
    • Severity = 4.7 (Medium)
  • APPSEC-1189 - CSRF on removing item from Wishlist or Address Book
    • Severity = 4.7 (Medium)
  • APPSEC-1478: Session does not expire on logout
    • Severity = 4.2 (Medium)
  • APPSEC-1106 - Lack of certificate validation enables MitM attacks
    • Severity = 3.7 (Low)
  • APPSEC-995 - Timing attack on hash checking
    • Severity = 3.7 (Low)

We realize the above is cryptic and understanding each vulnerability would be very difficult.  However, the above does illustrate the number of security-related vulnerabilities and the criticality of each. If you are interested in learning more about these vulnerabilities, please visit Magento's website:

Modern Retail is testing this patch now and will be rolling it out to your website as soon as possible.  Please submit a Support Request if you have any questions about this patch.  Thank you.