Magento has recently released a new Security Patch SUPEE-10497. This patch replaces SUPEE-10266 (released September 14, 2017) and SUPEE-10415 (released November 28, 2017).

This issue affects users of Magento Open Source 1.9.1.1 only. Users of Magento Commerce, or any other version of Magento Open Source, are not affected.

SUPEE-10415 Security Patch

SUPEE-10415, Magento Commerce (Formerly Enterprise Edition) 1.14.3.7 and Open Source (Formerly Community Edition) 1.9.3.7 contain multiple security enhancements that help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities. These releases also include a fix for a prior customer that had experienced issues patching caused by SOAP v1 interactions in WSDL.

Patches and upgrades are available for the following Magento versions:

Magento Commerce 1.9.0.0-1.14.3.7: SUPEE-10415 or upgrade to Magento Commerce 1.14.3.7.

Magento Open Source 1.5.0.0-1.9.3.7: SUPEE-10415 or upgrade to Magento Open Source 1.9.3.7.

List of Issues Addressed by this Security Patch

  • Unsanitized input leading to denial of service: A site visitor can create an account where one of the parameters will create a server denial-of-service.
  • Stored XSS in Product Name field: An administrator with limited privileges can insert script in the product name field, potentially resulting in a stored cross-site scripting that affects other administrators.
  • Cross-Site Scripting (XSS, stored): An administrator with limited privileges can create a stored-cross site scripting attack in the Visual Merchandiser system.
  • Remote Code Execution by leveraging unsafe unserialization: An administrator with limited privileges can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution.
  • Fix WSDL based patching to work with SOAP V1: Addresses an issue affecting a small number of customers to enable two prior patches to handle SOAP v1 interactions in WSDL.
  • AdminNotification Stored XSS: An attacker with the ability to launch a Man-in-the-middle attack on a network connection could inject code into the Magento Admin RSS feed.
  • Potential file uploads solely protected by .htaccess: An attacker can target non-Apache installations (for example, Nginx) to upload executable scripts that can be used to stage additional exploitation.
  • Remote Code Execution through Config Manipulation: An administrator with limited privileges can inject a malformed configuration bypass leading to a file redirection that can be leveraged into arbitrary remote code execution.
  • Stored XSS in CMS Page Area: An administrator with limited privileges can create a page within the Content Management System (CMS) with an embedded cross-site scripting attack.
  • Remote Code Execution in CMS Page Area: An administrator with limited privileges can create a specially crafted CMS page that can be parsed incorrectly, potentially leading to an arbitrary remote code execution.
  • Stored XSS in Billing Agreements: An administrator with limited privileges can create Billing Agreements with embedded cross-site scripting elements that can subsequently lead to a stored cross-site scripting attack.
  • PHP Object Injection in product attributes leading to Remote Code Execution: An administrator with limited privileges can insert a widget block containing malicious code, creating an opportunity for arbitrary remote code execution.
  • PHP Object Injection in product entries leading to Remote Code Execution: An administrator with limited privileges can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution.