Magento Security Patches
Security Updates and News
- Magento Security Patch 2.2.1, 2.1.10 and 2.0.17 Update
- Magento 2.0.16 and 2.1.9 Security Update
- SUPEE-6788 Technical Details
- SUPEE-6788 Address Zend Framework Vulnerability Update
- Magento Security Patch 2.0.1 Update
- Magento 2.0.4 Security Update
- Magento 2.0.6 Security Update
- Magento Security Update 2.0.10 and 2.1.2
- Magento 2.0.14 and 2.1.7 Security Update
Magento Security Patch SUPEE-10752
Magento Security Patch SUPEE-10752 released on June 27, 2018. The patch deals with security issues relating to remote code execution (RCE) and cross-site request forgery (CSRF), plus other security vulnerabilities. As always, it is very important to install these critical updates immediately, especially in the case of e-commerce security. Without this patch, your customers’ information is at risk. When your customers’ information is at risk, your entire business is at risk. One slip and all the data can land in the wrong hands.
SUPEE-10753, Magento Commerce 126.96.36.199 and Open Source 188.8.131.52 fix the following issues:
- Magento stopped performing unneeded write operations on the core_url_rewrite table.
- The incorrect escaping in the cron.sh file stopped preventing cron jobs from running parallel as they should.
- Customers will not have to worry about becoming logged out unexpectedly when checking out.
- Magento now will wipe your session data as it should upon customer log out.
The added security fixes mean that your customers’ data is secure again. You can ensure you are giving them the highest level of security possible when shopping on your site, making them more likely to come back and shop with you again. Installing updates like this keeps your customers feeling safe and knowing that you are staying on top of the latest security developments.
In some cases, there is a problem installing this security patch. A previous version, SUPEE-10570v1, may still be active on your site. Magento support can help. To fix the error message, uninstall SUPEE-10570v1 and replace it with SUPEE-10570v2 before installing SUPEE-10752 or else you may run into trouble. To check to be sure the correct fix is in place, attempt one of these actions:
- Create a new customer
- Navigate your e-commerce catalog
- Log in and log out of your site as a customer
- Place an order as a fictional customer
This is a list of the critical fixes that SUPEE-10752 will fix:
APPSEC-2001: Authenticated Remote Code Execution Using Custom Layout XML
Users with Admin rights who can manage products displayed on your site can use a custom XML file to duplicate any file to any location. This would mean your customers’ data is at risk for duplication, where someone could take it to another file. This would allow anyone with Admin rights to access this information.
APPSEC-2015: Authenticated Remote Code Execution Through the Create New Order Feature
users on your site who have permission to create a new sales order using the Admin panel are able to use the gift card function to operate and change the data that is being requested, while injecting a string of malicious code into your site. Later, that code is at risk for unserialization. Allowing access into the wrong hands could be devastating for businesses.
APPSEC-2042: PHP Object Injection and RCE in the Magento Admin Panel
A user who has admin rights and who can also reach the Enterprise Target rule module can add rule-based product relations with the ability to later manipulate and set off remote code execution. Allowing anyone remote access to the code in your site can be extremely dangerous and should be fixed immediately. Reach out to a security patch expert at Forix to get SUPEE-10752 installed.