To install SUPEE-10752 please refer to the following articles: or use our patch installation service.
Note: There are some Known issues for this patch.
Download SUPEE-10752
| Magento version | SUPEE-10752 | MD5 checksum |
|---|---|---|
| Magento CE 1.5.1.0 | SUPEE-10752 1.5.1.0 | 47146af5b1b027c4b76f17ed2963e947 |
| Magento CE 1.6.2.0 | SUPEE-10752 1.6.2.0 | 92b384e3c9e654ff9a646497e712333b |
| Magento CE 1.7.0.2 | SUPEE-10752 1.7.0.2 | 5185c6e35b2e2456b9014edeedbd69d0 |
| Magento CE 1.8.1.0 | SUPEE-10752 1.8.1.0 | c5fd109dcdf145791e26b6cefad6b4e8 |
| Magento CE 1.9.0.1 | SUPEE-10752 1.9.0.1 | f553c944a8fcc6a52fea122e57b342f3 |
| Magento CE 1.9.1.0-1.9.1.1 | SUPEE-10752 1.9.1.1 | c1c2b55b18387719aef4964429da85f4 |
| Magento CE 1.9.2.0-1.9.2.4 | SUPEE-10752 1.9.2.4 | 8b78b8213709505ca106f9924d01fd79 |
| Magento CE 1.9.3.0-1.9.3.8 | SUPEE-10752 1.9.3.8 | a652e2eb0668021dfe0d4f41e6dc4e70 |
| Magento CE 1.9.3.9 | already included | |
| OpenMage v19.4.3 | already included |
| APPSEC-2001: Authenticated Remote Code Execution (RCE) using custom layout XML | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 9.8 (Critical) |
| Known Attacks: | None |
| Description: | Admin users with permission to manage products can use custom layout XML to copy any file to any location. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9. |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | fabain |
| APPSEC-2015: Authenticated Remote Code Execution (RCE) through the Create New Order feature (Commerce only) | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 9.8 (Critical) |
| Known Attacks: | None |
| Description: | Users with permission to generate sales orders from the Admin panel can use gift card functionality to manipulate request data and inject a malicious string that is later unserialized. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9. |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | Peter O’Callaghan |
| APPSEC-2042: PHP Object Injection and RCE in the Magento admin panel (Commerce Target Rule module) | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 8.9 (High) |
| Known Attacks: | None |
| Description: | An administrator user with access to the Enterprise Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9, Magento 2.1 prior to 2.1.14 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752, Magento 2.1.14 |
| Reporter: | convenient |
| APPSEC-2029: PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce) | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 8.9 (High) |
| Known Attacks: | None |
| Description: | An administrator user with access to the Commerce Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | convenient |
| APPSEC-2007: Authenticated SQL Injection when saving a category | |
|---|---|
| Type: | SQL Injection (SQLi) |
| CVSSv3 Severity: | 8.2 (High) |
| Known Attacks: | None |
| Description: | By manipulating request data when saving a category, a user can insert a malicious string into the database that can be used in a subsequent request to perform SQL injection. This injected code can be used to trigger arbitrary (with the proviso they fit in the 255 char field) insert and update commands. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | Peter O’Callaghan |
| APPSEC-2027: CSRF is possible against Web sites, Stores, and Store Views | |
|---|---|
| Type: | Cross Site Request Forgery (CSRF) |
| CVSSv3 Severity: | 7.4 (High) |
| Known Attacks: | None |
| Description: | Multiple CSRF vulnerabilities allow for deleting websites, stores or store views. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9, Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752, Magento 2.1.14, Magento 2.2.5 |
| Reporter: | boskostan |
| APPSEC-1882: The cron.php file can leak database credentials | |
|---|---|
| Type: | Security Implementation Flaw |
| CVSSv3 Severity: | 7.4 (High) |
| Known Attacks: | None |
| Description: | The cron.php file can leak database credentials if it is not able to establish a connection to the database. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | mpchadwick |
| APPSEC-2006: Stored cross-site scripting (XSS) through the Enterprise Logging extension | |
|---|---|
| Type: | Cross Site Scripting (XSS) – stored |
| CVSSv3 Severity: | 6.5 (Medium) |
| Known Attacks: | None |
| Description: | The `Enterprise_Logging` extension logs request data when save events are triggered on the website. This information is displayed to administrators with limited privileges that can view the audit log. Although these saved values are escaped before output, the keys are not, which makes it possible to insert cross-site scripting (XSS) on this page. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9, Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752, Magento 2.1.14, Magento 2.2.5 |
| Reporter: | Peter O’Callaghan |
| APPSEC-2005: Persistent Cross-Site Scripting (XSS) injection in Configuration table | |
|---|---|
| Type: | Cross Site Scripting (XSS) – stored |
| CVSSv3 Severity: | 6.5 (Medium) |
| Known Attacks: | None |
| Description: | A user with access to an Admin account that includes ACL permissions to save the Shipping Methods section of the configuration table can insert cross-site scripting into the database that is subsequently output on every section of the `System > Configuration` table. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1880: Cross-Site Scripting (XSS) through the Admin Username in the CMS Revision Editor (Commerce only) | |
|---|---|
| Type: | Cross-Site Scripting (XSS) |
| CVSSv3 Severity: | 6.3 (Medium) |
| Known Attacks: | None |
| Description: | A user with limited administrator permissions can execute scripts during an admin user session. This script will be executed when any user views this page on the storefront. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | mpchadwick |
| APPSEC-2004: Cross-Site Scripting (XSS) through Remote File Inclusion | |
|---|---|
| Type: | Cross-Site Scripting (XSS) |
| CVSSv3 Severity: | 6.3 (Medium) |
| Known Attacks: | None |
| Description: | Users can use WYSIWYG directives to include valid remote images that have embedded malicious code that persists through image recreation. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | boskostan |
| APPSEC-1988: Path traversal vulnerability in templates | |
|---|---|
| Type: | Allowing Directory Traversal |
| CVSSv3 Severity: | 6.3 (Medium) |
| Known Attacks: | None |
| Description: | A user can set a template without validating it through the use of a relatively unknown method on Varien_Object. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | Peter O’Callaghan |
| APPSEC-1987: Reflective cross-site scripting (XSS) through filter manipulation | |
|---|---|
| Type: | Cross-Site Scripting (XSS) – reflected |
| CVSSv3 Severity: | 6.1 (Medium) |
| Known Attacks: | None |
| Description: | Arbitrary JavaScript can be triggered on the Sales Order page by manipulating one of the URL parameters. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | Peter O’Callaghan |
| APPSEC-2034: XSS in Admin Create Order Configure Product Via Compatible File Extensions | |
|---|---|
| Type: | Cross Site Scripting (XSS) |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator user can inject a malicious script into the file option type when creating a new product with a configurable option of type file. This script will then be executed when a user clicks Configure next to the product when creating an order. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9, Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752, Magento 2.1.15, Magento 2.2.6 |
| Reporter: | mpchadwick |
| APPSEC-1876: Cross-site scripting (XSS) in Admin Bundle Product Bundle Items Tab through Product SKU | |
|---|---|
| Type: | Cross Site Scripting (XSS) |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | Scripts in product SKUs are evaluated and executed when a user views the Bundle Items tab for a bundled product. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | mpchadwick |
| APPSEC-1874: Cross-Site Scripting (XSS) in the Admin Gift Registry Type Edit via Attribute Group | |
|---|---|
| Type: | Cross Site Scripting (XSS) |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | A user can inject a malicious script into the Attribute Group value that will be executed whenever a user views a Gift Registry Type in the Admin. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | mpchadwick |
| APPSEC-1872: Cross-Site Scripting (XSS) in the Admin Manage Catalog Events list through category name | |
|---|---|
| Type: | Cross Site Scripting (XSS) |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | Category names are not escaped when rendered on the Manage Catalog Events list, which results in a cross-site scripting (XSS) vulnerability. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | mpchadwick |
| APPSEC-1928: Stored XSS in Downloadable Product Links title – frontend | |
|---|---|
| Type: | Cross Site Scripting (XSS) – stored |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | An administrator user with access to edit products can insert a malicious script into downloadable products. The malicious script can be triggered on the front-end and admin area. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | magecraze |
| APPSEC-1871: Cross-Site Scripting (XSS) in the Admin Manage Customer Rewards points history using the Reason field | |
|---|---|
| Type: | Cross Site Scripting (XSS) |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | Admin users with limited privileges can exploit the Reward Points History feature to inject cross-site scripting (XSS). |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | mpchadwick |
| APPSEC-1870: Cross-Site Scripting (XSS) in Admin Manage Invitations list through Invitee email address | |
|---|---|
| Type: | Cross Site Scripting (XSS) |
| CVSSv3 Severity: | 5.0 (Medium) |
| Known Attacks: | None |
| Description: | A user without Admin credentials can inject cross-site scripting into the Admin role the Manage Invitations list for Admin users without “Manage Customers” permissions. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | mpchadwick |
| APPSEC-1972/APPSEC-2103: Admin password change does not force the logout of the Admin user | |
|---|---|
| Type: | Privilege Escalation & Enumeration |
| CVSSv3 Severity: | 4.3 (Medium) |
| Known Attacks: | None |
| Description: | Password changes initiated from the Admin panel do not force a logout. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | - |
| APPSEC-1934: Systemic Cross-Site Request Forgery (CSRF) on the Checkout page | |
|---|---|
| Type: | Cross-Site Request Forgery (CSRF) |
| CVSSv3 Severity: | 4.3 (Medium) |
| Known Attacks: | None |
| Description: | A user can inject a cross-site request forgery (CSRF) into a users cart on the Checkout page due to a missing CSRF token. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752 |
| Reporter: | qqwedsawqeqw |
| APPSEC-1917: Password theft though uploaded video and Auth Prompt password theft vulnerability | |
|---|---|
| Type: | Security Misconfiguration |
| CVSSv3 Severity: | 4.3 (Medium) |
| Known Attacks: | None |
| Description: | Users can exploit vulnerabilities in the Auth Password user password field and external video uploads to steal user passwords. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9, Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752, Magento 2.1.15, Magento 2.2.6 |
| Reporter: | todayisnew |
| APPSEC-1993: IP spoofing | |
|---|---|
| Type: | Privilege Escalation & Enumeration |
| CVSSv3 Severity: | 3.7 (Low) |
| Known Attacks: | None |
| Description: | A vulnerability exists that permits the IP spoofing of a client’s address, which allows the potential bypassing of any security features that rely on identifying a client by their IP source. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9, Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5 |
| Fixed In: | Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752, Magento 2.1.14, Magento 2.2.5 |
| Reporter: | driskell |