Magento SUPEE-10570 patch

Posted on Posted in Magento

Magento team has recently announced the new patch

Description:
SUPEE-10570, Magento Commerce 1.14.3.8 and Open Source 1.9.3.8 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS, and other issues. These releases also include small functional fixes listed in the release notes.

Changes:

  • Remote Code Execution Using XML Injection
  • Remote Code Execution - additional fix not included in SUPEE-9652
  • Remote Code Execution by (semi-)arbitrary file deletion for admin users with access to Import
  • Remote Code Execution in Staging Environment
  • Cross-Site Request Forgery in Store Backups
  • Cross-site Scripting in CMS hierarchy
  • Cross-site Scripting in Custom Variables
  • Cross-site Scripting in Attribute Group Name
  • Cross-site Scripting in Downloadable Products
  • Cross-site Scripting in Product SKU
  • Cross-site Scripting in Newsletter Template
  • Cross-site Scripting in Site Settings
  • Cross-site Scripting in Downloadable Products
  • Cross-Site Request Forgery Protection Bypass
  • Access to Gift Registries of Other Users
  • Session Management
  • Insufficient privilege seperation
  • Password Change Session Management
  • Password Reset Session Management

Affected versions:
Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8

Recommended action: Apply the patch or upgrade to the latest Magento version

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *