Magento 1.9.3.9 Security Update

·

·

Magento 1.9.3.9 was released on June 27 and contains the SUPEE-10752 security patch and some additional fixes. You should install the update as soon as possible because the update fixes critical security vulnerabilities.

This update contains following fixes and enhancements:

  • Magento no longer performs unnecessary write operations on the core_url_rewrite table.
  • Customers can now successfully register during checkout without being unexpectedly logged out.
  • Incorrect escaping in the cron.sh file no longer prevents cron jobs from running in parallel as expected.
  • Magento now cleans session data as expected after a customer logs out.

And the SUPEE-10752 security patch:

  • APPSEC-2027: CSRF is possible against Web sites, Stores, and Store Views
  • APPSEC-1882: The cron.php file can leak database credentials
  • APPSEC-2006: Stored cross-site scripting (XSS) through the Enterprise Logging extension
  • APPSEC-2005: Persistent Cross-Site Scripting (XSS) injection in Configuration table
  • APPSEC-1880: Cross-Site Scripting (XSS) through the Admin Username in the CMS Revision Editor (Commerce only)
  • APPSEC-2004: Cross-Site Scripting (XSS) through Remote File Inclusion
  • APPSEC-1988: Path traversal vulnerability in templates
  • APPSEC-1987: Reflective cross-site scripting (XSS) through filter manipulation
  • APPSEC-2034: XSS in Admin Create Order Configure Product Via Compatible File Extensions
  • APPSEC-1876: Cross-site scripting (XSS) in Admin Bundle Product Bundle Items Tab through Product SKU
  • APPSEC-1874: Cross-Site Scripting (XSS) in the Admin Gift Registry Type Edit via Attribute Group
  • APPSEC-1872: Cross-Site Scripting (XSS) in the Admin Manage Catalog Events list through category name
  • APPSEC-1928: Stored XSS in Downloadable Product Links title – frontend
  • APPSEC-1871: Cross-Site Scripting (XSS) in the Admin Manage Customer Rewards points history using the Reason field
  • APPSEC-1870: Cross-Site Scripting (XSS) in Admin Manage Invitations list through Invitee email address
  • APPSEC-1972/APPSEC-2103: Admin password change does not force the logout of the Admin user
  • APPSEC-1934: Systemic Cross-Site Request Forgery (CSRF) on the Checkout page
  • APPSEC-1917: Password theft though uploaded video and Auth Prompt password theft vulnerability
  • APPSEC-1993: IP spoofing

Remember to create a backup before installing an update.

(Image by peshkova)