Download SUPEE-10415 for Magento 1.x
You can download SUPEE-10415 patch packaged as a shell script for installation via SSH from the table below:| Magento version | SUPEE-10415 | MD5 checksum |
|---|---|---|
| Magento CE 1.5.1.0 | SUPEE-10415 1.5.1.0 | 5337efe37bf4c0f90237e540aa35d5b5 |
| Magento CE 1.6.2.0 | SUPEE-10415 1.6.2.0 | 3bd09263219287ad36b55619888e8d0e |
| Magento CE 1.7.0.2 | SUPEE-10415 1.7.0.2 | c8fc4679747009c3ebfdef02512b0de4 |
| Magento CE 1.8.0.0 | SUPEE-10415 1.8.0.0 | 5162a1885dd14bf5d58c451803e4375d |
| Magento CE 1.8.1.0 | SUPEE-10415 1.8.1.0 | 0d7ec17c88897a286782379a57f08c76 |
| Magento CE 1.9.0.0 | SUPEE-10415 1.9.0.0 | 229d8c5f771de4e33f17b5c2e564819f |
| Magento CE 1.9.0.1 | SUPEE-10415 1.9.0.1 | 04dc6663b3fd9aad4301d55c8c6f1038 |
| Magento CE 1.9.1.0 | SUPEE-10415 1.9.1.0 | 49147426c0a20efaeef6061fbb72848b |
| Magento CE 1.9.1.1 | SUPEE-10415 1.9.1.1 | 6b6e73d7982711249d337326cd0e6229 |
| Magento CE 1.9.2.0 | SUPEE-10415 1.9.2.0 | eb60480de79d6027d4454b4a6d9effb4 |
| Magento CE 1.9.2.1 | SUPEE-10415 1.9.2.1 | a465bcb8422e2f1107c702dcaa433901 |
| Magento CE 1.9.2.2 | SUPEE-10415 1.9.2.2 | 0b0e9f82733589ac48a8fca5fbb42d10 |
| Magento CE 1.9.2.3 | SUPEE-10415 1.9.2.3 | 8253be643d7cf4871e27355fc5fdac60 |
| Magento CE 1.9.2.4 | SUPEE-10415 1.9.2.4 | c998f4262560cf0d2ffb8e04f866b286 |
| Magento CE 1.9.3.0 | SUPEE-10415 1.9.3.0 | 6d54152f6deb268aa867f22f939a881a |
| Magento CE 1.9.3.1 | SUPEE-10415 1.9.3.1 | d2b2de7125253d78982cd883f6d8757c |
| Magento CE 1.9.3.2 | SUPEE-10415 1.9.3.2 | 030ffcb5153eaba570f109d23822477a |
| Magento CE 1.9.3.3 | SUPEE-10415 1.9.3.3 | 605abfcfba7a54684cfce188f9f013d4 |
| Magento CE 1.9.3.4 | SUPEE-10415 1.9.3.4 | ed88d8a19cc9ff65de227052c063a071 |
| Magento CE 1.9.3.6 | SUPEE-10415 1.9.3.6 | 09f49164985f5f2950aecc8fe435f2bc |
If you have no SSH access, you can install with direct file upload via FTP or filemanager How to apply SUPEE-10415 without SSH.
Known issues
There are several known issues related to SUPEE-10415 installation, you can refer to this list for details.Issues solved in SUPEE-10415
| APPSEC-1330: Unsanitized input leading to denial of service | |
|---|---|
| Type: | Denial-of-Service (DOS) |
| CVSSv3 Severity: | 6.7 (Medium) |
| Known Attacks: | None |
| Description: | A site visitor can create an account where one of the parameters will create a server denial-of-service. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
| Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
| Reporter: | Internal |
| APPSEC-1885: Stored XSS in Product Descriptions | |
|---|---|
| Type: | Cross-Site Scripting (XSS, stored) |
| CVSSv3 Severity: | 6.6 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert script in product and short descriptions, potentially resulting in a stored cross-site scripting that affects site users. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
| Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
| Reporter: | hodollsoft |
| APPSEC-1892: Stored XSS in Visual Merchandiser | |
|---|---|
| Type: | Cross-Site Scripting (XSS, stored) |
| CVSSv3 Severity: | 6.1 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can create a stored-cross site scripting attack in the Visual Merchaniser system. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
| Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
| Reporter: | mpchadwick |
| APPSEC-1894: Remote Code Execution by leveraging unsafe unserialization | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 8.2 (High) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
| Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
| Reporter: | pocallaghan |
| APPSEC-1897: Fix WSDL based patching to work with SOAP V1 | |
|---|---|
| Type: | Patch Fix |
| CVSSv3 Severity: | None |
| Known Attacks: | None |
| Description: | Addresses an issue affecting a small number of customers to enable two prior patches to handle SOAP v1 interactions in WSDL. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
| Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
| Reporter: | Internal |
| APPSEC-1913: Remote Code Execution through Config Manipulation | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 7.2 (High) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can inject a malformed configuration bypass leading to a file redirection that can be leveraged in to arbitrary remote code execution. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
| Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
| Reporter: | pocallaghan |
| APPSEC-1914: Stored XSS in CMS Page Area | |
|---|---|
| Type: | Cross-Site Scripting (XSS, stored) |
| CVSSv3 Severity: | 6.1 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can create a page within the Content Management System (CMS) with an embedded cross-site scripting attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
| Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
| Reporter: | pocallaghan |
| APPSEC-1915: Remote Code Execution in CMS Page Area | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 8.2 (High) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can create a specially crafted CMS page that can be parsed incorrectly, potentially leading to an arbitrary remote code execeution. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7. |
| Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415. |
| Reporter: | pocallaghan |
| APPSEC-1325: Stored XSS in Billing Agreements | |
|---|---|
| Type: | Cross-Site Scripting (XSS, stored) |
| CVSSv3 Severity: | 5.5 (Medium) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can create Billing Agreements with embedded cross-site scripting elements that can subsequently lead to a stored cross-site scripting attack. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2 |
| Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1 |
| Reporter: | pocallaghan |
| APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 8.2 (High) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert a widget block containing malicious code, creating an opportunity for arbitrary remote code execution. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2 |
| Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1 |
| Reporter: | fabian |
| APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution |
|---|
| APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 8.2 (High) |
| Known Attacks: | None |
| Description: | An administrator with limited privileges can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2 |
| Fixed In: | Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1 |
| Reporter: | fabian |