Magento 1.9.3.7 and 2.1.11 Updates

·

·

Magento 1.9.3.7 (SUPEE-10415)

Magento 1.9.3.7 is a security update which fixes multiple critical security issues like Remote Code Execution, Cross-Site-Scripting and Denial of Service attacks..

Beside the security fixes also a few errors were solved.

  • Magento no longer displays the “Invalid Secret Key. Please refresh the page.” message when a user loads the Admin.
  • The one-page checkout page now displays the following message when a customer checks out an order for which no amount is due: No payment information required.
  • Magento fixed a typo in the patch header information. (autocomplete="new-pawwsord” is now autocomplete="new-password”.)

The fixed security issues are:

  • APPSEC-1330: Unsanitized input leading to denial of service
  • APPSEC-1885: Stored XSS in Product Descriptions
  • APPSEC-1892: Stored XSS in Visual Merchandiser
  • APPSEC-1894: Remote Code Execution by leveraging unsafe unserialization
  • APPSEC-1897: Fix WSDL based patching to work with SOAP V1
  • APPSEC-1913: Remote Code Execution through Config Manipulation
  • APPSEC-1914: Stored XSS in CMS Page Area
  • APPSEC-1915: Remote Code Execution in CMS Page Area
  • APPSEC-1325: Stored XSS in Billing Agreements
  • APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution
  • APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution

In the Magento Tech Resources you can find the detailed list about the issues.

 

Magento 2.1.11

Magento 2.1.11 was released on December 12 and contains new features and a lot of fixes and enhancements like Magento 2.2.2.

The new features

  • Support for the Indian Rupee (INR) in PayPal Express Checkout
  • New commands and functionality for the command-line interface.

The fixes and enhancements

  • Significant enhancements and fixes for various payment methods.
  • Corrected sitemap generation. Magento no longer generates the sitemap in the wrong directory when vhost is connected to /pub.
  • When a simple child product on a configurable product has a lower price (either regular, or special price) than the other options (variations), the configurable product without any selected options now indicates that the price could be “As low as” = .
  • You can now add a configurable product to your cart from the Category page.
  • A lot of further general fixes.

A detailed list of all changes can be found in the Magento DevDocs.

 

Remember to create a backup before installing updates.

(Beitragsbild von peshkova)