Help & Resource Center

Magento 2.X Security Patch Bundle

October 11, 2016

Today Magento released a mega patch, SUPEE-8788, that addresses several vulnerabilities in Magento Magento Enterprise Edition and Community Edition 2.0.10 and 2.1.2.  You can read more about this patch here:

Modern Retail will be implementing this patch on your website as soon as possible.

Magento 2.0.10 & 2.1.2 Security Update

The following are the security problems addressed in this patch:

  • APPSEC-1484 - Remote Code Execution in checkout
    • Severity = 9.8 (Critical)
  • APPSEC-1480 - SQL injection in Zend Framework
    • Severity = 9.1 (Critical)
  • APPSEC-1503 - Stored Cross-Site Scripting in email templates
    • Severity = 8.7 (High)
  • APPSEC-1488 - Stored XSS in invitations
    • Severity = 8.2 (High)
  • APPSEC-1533 - Order item with altered price
    • Severity = 7.5 (High)
  • APPSEC-1270 - Guest order view protection code vulnerable to brute-force attack
    • Severity = 7.5 (High)
  • APPSEC-1539 - Cross-Site Scripting in section loading
    • Severity = 7.5 (High)
  • APPSEC-1433 - Unauthorized removal of customer address
    • Severity = 6.5 (Medium)
  • APPSEC-1338 - Full Page Cache poisoning
    • Severity = 6.5 (Medium)
  • APPSEC-1329 - Information disclosure in maintenance mode
    • Severity = 5.3 (Medium)
  • APPSEC-1490 - Local file inclusion
    • Severity = 4.9 (Medium)
  • APPSEC-1543 - Removal of currently logged-in administrator
    • Severity = 4.9 (Medium)
  • APPSEC-1212 - CSRF delete items from mini cart
    • Severity = 4.3 (Medium)
  • APPSEC-1478 - Session does not expire on logout
    • Severity = 4.2 (Medium)
  • APPSEC-1481 - Admin users can create backups regardless of privileges
    • Severity = 4.1 (Medium)

We realize the above is cryptic and understanding each vulnerability would be very difficult.  However, the above does illustrate the number of security-related vulnerabilities and the criticality of each. If you are interested in learning more about these vulnerabilities, please visit Magento's website:

Modern Retail is testing this patch now and will be rolling it out to your website as soon as possible.  Please submit a Support Request if you have any questions about this patch.  Thank you.