Podcast

Kontakt

Magento 1.9.3.9 Security Update

Manuel Fischer

·

·

Magento 1.9.3.9 was released on June 27 and contains the SUPEE-10752 security patch and some additional fixes. You should install the update as soon as possible because the update fixes critical security vulnerabilities.

This update contains following fixes and enhancements:

  • Magento no longer performs unnecessary write operations on the core_url_rewrite table.
  • Customers can now successfully register during checkout without being unexpectedly logged out.
  • Incorrect escaping in the cron.sh file no longer prevents cron jobs from running in parallel as expected.
  • Magento now cleans session data as expected after a customer logs out.

And the SUPEE-10752 security patch:

  • APPSEC-2027: CSRF is possible against Web sites, Stores, and Store Views
  • APPSEC-1882: The cron.php file can leak database credentials
  • APPSEC-2006: Stored cross-site scripting (XSS) through the Enterprise Logging extension
  • APPSEC-2005: Persistent Cross-Site Scripting (XSS) injection in Configuration table
  • APPSEC-1880: Cross-Site Scripting (XSS) through the Admin Username in the CMS Revision Editor (Commerce only)
  • APPSEC-2004: Cross-Site Scripting (XSS) through Remote File Inclusion
  • APPSEC-1988: Path traversal vulnerability in templates
  • APPSEC-1987: Reflective cross-site scripting (XSS) through filter manipulation
  • APPSEC-2034: XSS in Admin Create Order Configure Product Via Compatible File Extensions
  • APPSEC-1876: Cross-site scripting (XSS) in Admin Bundle Product Bundle Items Tab through Product SKU
  • APPSEC-1874: Cross-Site Scripting (XSS) in the Admin Gift Registry Type Edit via Attribute Group
  • APPSEC-1872: Cross-Site Scripting (XSS) in the Admin Manage Catalog Events list through category name
  • APPSEC-1928: Stored XSS in Downloadable Product Links title – frontend
  • APPSEC-1871: Cross-Site Scripting (XSS) in the Admin Manage Customer Rewards points history using the Reason field
  • APPSEC-1870: Cross-Site Scripting (XSS) in Admin Manage Invitations list through Invitee email address
  • APPSEC-1972/APPSEC-2103: Admin password change does not force the logout of the Admin user
  • APPSEC-1934: Systemic Cross-Site Request Forgery (CSRF) on the Checkout page
  • APPSEC-1917: Password theft though uploaded video and Auth Prompt password theft vulnerability
  • APPSEC-1993: IP spoofing

Remember to create a backup before installing an update.

(Image by peshkova)

Aktuelle Artikel
Kategorien
Beliebte Tags

AI blockchain ecommerce ethics events Magento marketing Metaverse NFTs privacy security SEO shopify socialmedia update WooCommerce WordPress

Beyond the Meme

Der englischsprachige Podcast von Openstream. Discover how memes, AI, and digital culture shape our world, challenge norms, and redefine what it means to be human.

spotify-podcast-badge
Listen on Apple Podcast
, ,

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert