Magento team has recently announced the new patch
Description:
SUPEE-10570, Magento Commerce 1.14.3.8 and Open Source 1.9.3.8 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS, and other issues. These releases also include small functional fixes listed in the release notes.
Changes:
- Remote Code Execution Using XML Injection
- Remote Code Execution - additional fix not included in SUPEE-9652
- Remote Code Execution by (semi-)arbitrary file deletion for admin users with access to Import
- Remote Code Execution in Staging Environment
- Cross-Site Request Forgery in Store Backups
- Cross-site Scripting in CMS hierarchy
- Cross-site Scripting in Custom Variables
- Cross-site Scripting in Attribute Group Name
- Cross-site Scripting in Downloadable Products
- Cross-site Scripting in Product SKU
- Cross-site Scripting in Newsletter Template
- Cross-site Scripting in Site Settings
- Cross-site Scripting in Downloadable Products
- Cross-Site Request Forgery Protection Bypass
- Access to Gift Registries of Other Users
- Session Management
- Insufficient privilege seperation
- Password Change Session Management
- Password Reset Session Management
Affected versions:
Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8
Recommended action: Apply the patch or upgrade to the latest Magento version
Origin URLs: