Download SUPEE-10266
You can download SUPEE-10266 patch packaged as a shell script for installation via SSH from the table below:| Magento version | SUPEE-10266 | MD5 checksum |
|---|---|---|
| Magento CE 1.5.1.0 | SUPEE-10266 1.5.1.0 | 2ccb38492a87a5efc25062f28017b223 |
| Magento CE 1.6.2.0 | SUPEE-10266 1.6.2.0 | 4c7bccfb9b9b49f1ad435a4bc99c0746 |
| Magento CE 1.7.0.2 | SUPEE-10266 1.7.0.2 | 9e2e3ca5e6d571b28b5d2303d1af1429 |
| Magento CE 1.8.1.0 | SUPEE-10266 1.8.1.0 | 039aacdff129bb9f3e5d1b7e851b619a |
| Magento CE 1.9.0.1 | SUPEE-10266 1.9.0.1 | 0595fc95543835ac0dc3057ed26d364d |
| Magento CE 1.9.1.0 | SUPEE-10266 1.9.1.0 | e24524b570d81cb286c9e17df84f01be |
| Magento CE 1.9.1.1 | SUPEE-10266 1.9.1.1 | f7b35118062be7c0eba977e570dc3f2a |
| Magento CE 1.9.2.4 | SUPEE-10266 1.9.2.4 | 5f5490cf1479767a427430f0e89ba3bc |
| Magento CE 1.9.3.2 | SUPEE-10266 1.9.3.2 | 0862935a500cb051d526c753658d7b5c |
| Magento CE 1.9.3.4 | SUPEE-10266 1.9.3.4 | fc8a4c9b9c8098520eed87279a57d40b |
Known issues
There are several known issues related to SUPEE-10415 installation, you can refer to this list for details.Issues solved in SUPEE-10266
| APPSEC-1838: RSS session admin cookie can be used to gain Magento administrator privileges. | |
|---|---|
| Type: | Privilege Escalation |
| CVSSv3 Severity: | 8.2 (High) |
| Known Attacks: | None |
| Description: | An attacker can use a low privilege RSS session cookie to escalate privileges and gain access to the Magento Admin Portal. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6 |
| Fixed In: | Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266 |
| Reporter: | gwillem |
| APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 8.2 (High) |
| Known Attacks: | None |
| Description: | A Magento administrator with limited privileges can introduce malicious code when creating a new CMS Page, which could result in arbitrary remote code execution. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9 |
| Fixed In: | Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9 |
| Reporter: | dhln |
| APPSEC-1835: Exposure of Magento secret key from app/etc/local.xml | |
|---|---|
| Type: | Information Leak (system) |
| CVSSv3 Severity: | 8.2 (High) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can create content that references and exposes sensitive Magento installation information that could be leveraged in further exploitation. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6 |
| Fixed In: | Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266 |
| Reporter: | Jeroen Boersma |
| APPSEC-1757: Directory traversal in template configuration | |
|---|---|
| Type: | Information Leak (system) |
| CVSSv3 Severity: | 6.1 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can force Magento store notifications to include internal system files. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6 |
| Fixed In: | Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266 |
| Reporter: | Nashcontrol |
| APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group) | |
|---|---|
| Type: | CSRF, XSS (stored) |
| CVSSv3 Severity: | 6.0 (Medium) |
| Known Attacks: | None |
| Description: | A Magento administrator with limited privileges can exploit a vulnerability in the customer group to create a URL that can be used as part of CSRF attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9 |
| Fixed In: | Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9 |
| Reporter: | Boskostan |
| APPSEC-1494: AdminNotification Stored XSS | |
|---|---|
| Type: | Cross-Site Scripting (XSS, stored) |
| CVSSv3 Severity: | 5.9 (Medium) |
| Known Attacks: | None |
| Description: | An attacker with the ability to launch a Man-in-the-middle attack on a network connection could inject code on the Magento Admin RSS feed. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9 |
| Fixed In: | Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9 |
| Reporter: | lleber |
| APPSEC-1793: Potential file uploads solely protected by .htaccess | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 5.8 (Medium) |
| Known Attacks: | None |
| Description: | An attacker can target non-Apache installations (for example, Nginx) to upload executable scripts that can be used to stage additional exploitations. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9 |
| Fixed In: | Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9 |
| Reporter: | Internal |
| APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template | |
|---|---|
| Type: | CSRF, XSS (stored) |
| CVSSv3 Severity: | 5.5 (Medium) |
| Known Attacks: | None |
| Description: | A Magento administrator with limited privileges can exploit a vulnerability in the newsletter template to create a URL that can be used as part of a CSRF attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9 |
| Fixed In: | Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9 |
| Reporter: | Boskostan |
| APPSEC-1729: XSS in admin order view using order status label in Magento | |
|---|---|
| Type: | Cross-Site Scripting (XSS, stored) |
| CVSSv3 Severity: | 5.5 (Medium) |
| Known Attacks: | None |
| Description: | An administrator can inject code in sales order records, which can result in an XSS attack on anyone that views the page. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9 |
| Fixed In: | Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9 |
| Reporter: | fabian |
| APPSEC-1579: Customer Segment Delete Action uses GET instead of POST request | |
|---|---|
| Type: | Cross-Site Request Forgery (CSRF) |
| CVSSv3 Severity: | 5.1 (Medium) |
| Known Attacks: | None |
| Description: | A Magento administrator can perform malicious actions through an inadequate security check of the form key in the customer segment page. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9 |
| Fixed In: | Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9 |
| Reporter: | Internal |
| APPSEC-1588: Order Item Custom Option Disclosure | |
|---|---|
| Type: | Information Leak (order) |
| CVSSv3 Severity: | 4.9 (Medium) |
| Known Attacks: | None |
| Description: | An attacker can craft a URL request on a Magento site during checkout and retrieve information about past orders. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9 |
| Fixed In: | Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1599: Admin login does not handle autocomplete feature correctly | |
|---|---|
| Type: | Information Leak (system) |
| CVSSv3 Severity: | 4.1 (Medium) |
| Known Attacks: | None |
| Description: | Several fields in the Admin panel do not correctly handle autocomplete, which could result in a potential information leak when a browser tries to autocomplete the field. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, Magento 2.1 prior to 2.1.9 |
| Fixed In: | Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, Magento 2.1.9 |
| Reporter: | Internal |
| APPSEC-1688: Secure cookie check to prevent MITM not expiring user sessions |
|---|
| APPSEC-1688: Secure cookie check to prevent MITM not expiring user sessions | |
|---|---|
| Type: | Insufficient Session Expiration |
| CVSSv3 Severity: | 3.8 (Low) |
| Known Attacks: | None |
| Description: | Magento does not properly validate session cookies, or cause them to expire, which potentially permits visitors to use expired cookies to interact with a store. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.6, and Magento Commerce prior to 1.14.3.6 |
| Fixed In: | Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266 |
| Reporter: | jay-d |