October 11, 2016
Today Magento released a mega patch, SUPEE-8788, that addresses several vulnerabilities in Magento Magento Enterprise Edition and Community Edition 2.0.10 and 2.1.2. You can read more about this patch here:
Modern Retail will be implementing this patch on your website as soon as possible.
Magento 2.0.10 & 2.1.2 Security Update
The following are the security problems addressed in this patch:
- APPSEC-1484 - Remote Code Execution in checkout
- Severity = 9.8 (Critical)
- APPSEC-1480 - SQL injection in Zend Framework
- Severity = 9.1 (Critical)
- Severity = 9.1 (Critical)
- APPSEC-1503 - Stored Cross-Site Scripting in email templates
- Severity = 8.7 (High)
- APPSEC-1488 - Stored XSS in invitations
- Severity = 8.2 (High)
- APPSEC-1533 - Order item with altered price
- Severity = 7.5 (High)
- APPSEC-1270 - Guest order view protection code vulnerable to brute-force attack
- Severity = 7.5 (High)
- APPSEC-1539 - Cross-Site Scripting in section loading
- Severity = 7.5 (High)
- APPSEC-1433 - Unauthorized removal of customer address
- Severity = 6.5 (Medium)
- APPSEC-1338 - Full Page Cache poisoning
- Severity = 6.5 (Medium)
- APPSEC-1329 - Information disclosure in maintenance mode
- Severity = 5.3 (Medium)
- APPSEC-1490 - Local file inclusion
- Severity = 4.9 (Medium)
- APPSEC-1543 - Removal of currently logged-in administrator
- Severity = 4.9 (Medium)
- APPSEC-1212 - CSRF delete items from mini cart
- Severity = 4.3 (Medium)
- APPSEC-1478 - Session does not expire on logout
- Severity = 4.2 (Medium)
- APPSEC-1481 - Admin users can create backups regardless of privileges
- Severity = 4.1 (Medium)
We realize the above is cryptic and understanding each vulnerability would be very difficult. However, the above does illustrate the number of security-related vulnerabilities and the criticality of each. If you are interested in learning more about these vulnerabilities, please visit Magento's website:
Modern Retail is testing this patch now and will be rolling it out to your website as soon as possible. Please submit a Support Request if you have any questions about this patch. Thank you.