Magento SUPEE-8788 patch

Posted on Posted in Magento

SUPEE-8788, Enterprise Edition 1.14.3 and Community Edition 1.9.3 address Zend framework and payment vulnerabilities, ensure sessions are invalidated after a user logs out, and make several other security enhancements that are detailed below.

Changes:

  • Remote Code Execution in checkout
  • SQL injection in Zend Framework
  • Stored XSS in invitations
  • Block cache exploit
  • Log in as another customer
  • Remote Code Execution in admin
  • Full Page Cache poisoning
  • XSS vulnerability in URL processing
  • XSS in categories management
  • GIF flooding
  • Cross-site scripting in Flash file uploader
  • Filter avoidance
  • CSRF in several forms
  • CSRF on removing item from Wishlist or Address Book
  • Session does not expire on logout
  • Lack of certificate validation enables MitM attacks
  • Timing attack on hash checking

Affected versions:

  • Enterprise Edition 1.9.0.0-1.14.2.4
  • Community Edition 1.5.0.1-1.9.2.4

Recommended action: Apply the patch or upgrade to the latest Magento version

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *