SUPEE-10888 is the latest security patch update for both Magento Commerce 1.14.3.10 and Open Source 1.9.3.10. SUPEE-10888 was released on September 10, 2018, and addresses a range of security problems, including remote cross-site scripting and cross-site request for forgery. The patch also includes several performance enhancements to improve the functionality of the Magento Commerce and Open Source platforms.
Magento Security Patch SUPEE-10888 is available now to be installed with professional Magento managed support in the following versions:
- For Magento Commerce 1.9.0.0-1.14.3.10 users, install either SUPEE-10888 or Magento Commerce 1.14.3.10.
- For Magento Open Source 1.5.0.0-1.9.3.10 users, install either SUPEE-10888 or Magento Open Source 1.9.3.10.
The Magento ongoing support experts at top Magento agency Forix highly recommend that all merchants update their Magento platforms with the SUPEE-10888 security patch to ensure the safety of their online stores and access the benefits of improved performance for their Magento Commerce and Open Source platforms.
Security Improvements
You can anticipate enhanced protection from the following security threats after upgrading to Magento Security Patch SUPEE-10888 with Magento managed services from your Magento developer Forix.
APPSEC-2061: Authenticated Data Breach Through Layout Injection
This security threat enables an administrator with restricted privileges to acquire information to which he or she does not have access. This issue impacted Magento Open Source versions before 1.9.3.10, as well as Magento Commerce versions before 1.14.3.10.
APPSEC-1971: Reflective XSS Against Admin Grid
This cross-site scripting security issue allows the activation of arbitrary JS on the sales panel page through the configuration of one of the URL limitations.
APPSEC-1859: Reset password URL Contains the Customer ID
This security risk empowers an attacker to access a customer’s ID in the reset password link for the user’s account. The attacker can then utilize the user’s ID to obtain access to the customer’s account and information.
APPSEC-2067: Admin to Admin XSS in Modified Custom Attribute Labels
This security issue can potentially permit an admin with restricted privileges to use an XSS cross-site scripting assault on a different admin.
APPSEC-2066: Admin to Admin XSS in Catalog Configured Media Label
This prospective security breach involves an administrator with limited privileges using a cross-site scripting attack against another administrator in the system.
PPSEC-2060: Overwrite All Reviews
This information exposure security threat makes it possible to overwrite reviews and data with certain types of configurations.
APPSEC-1936: Customer Information Available Through the Data Base
This security threat enables a user with malicious intent to employ a brute force attack to generate the global/secret/key in the app/local database. The user can then access and decrypt the file to obtain the password of a Magento customer from the sales quote table of the database.
APPSEC-1933: Moxieplayer Redirect
This is a security configuration risk, so potential threat permits Moxieplayer redirect to open on any site to exploit users.
Performance Enhancements
In addition to protection from the aforementioned security threats, you can expect to see several performance improvements when you install Magento Security Patch SUPEE-10888 with the assistance of Magento managed services from top Magento developer Forix, including:
APPSEC-2002: Automatic E-mail When a New Admin Account Is Established
This performance improvement helps identify recently established admin accounts by sending an email whenever a new admin is created.
APPSEC-1730: User Doesn’t Compel HTTPS Usage
This new feature ensures the downloaders can only employ HTTPS connections.
Still curious about SUPEE-10888? Get in touch with an expert at Forix to hear more.