To install SUPEE-10888 please refer to the following articles: or use our patch installation service to install all missing security patches at once.
Note: There are some Known issues for this patch.
Download SUPEE-10888
| Magento version | SUPEE-10888 | MD5 checksum |
|---|---|---|
| Magento CE 1.5.1.0 | SUPEE-10888 1.5.1.0 | 0547c5d827a6365a1bf31d75e3cd5631 |
| Magento CE 1.6.2.0 | SUPEE-10888 1.6.2.0 | f50cdd62db9b15a8d50182e33925eff7 |
| Magento CE 1.7.0.2 | SUPEE-10888 1.7.0.2 | 7477adf7ca02175766e47de92a8d6d18 |
| Magento CE 1.8.0.0 | SUPEE-10888 1.8.0.0 | 5263d07abe96c5e6f2005e70e2a5e567 |
| Magento CE 1.9.0.1 | SUPEE-10888 1.9.0.1 | 441cf5b97575c7913714ad3e0fced4c8 |
| Magento CE 1.9.1.0-1.9.1.1 | SUPEE-10888 1.9.1.1 | 6db87266e16b30e3fdd200632abb8b06 |
| Magento CE 1.9.2.0-1.9.2.4 | SUPEE-10888 1.9.2.4 | 701e1ca68a37ea046691930d74f45d94 |
| Magento CE 1.9.3.0-1.9.3.2 | SUPEE-10888 1.9.3.2 | 6ab60e583b2a437c8104d2d12ef6110f |
| Magento CE 1.9.3.3-1.9.3.7 | SUPEE-10888 1.9.3.7 | 0723d0a01c4534e0ba8e93a6c46c0966 |
| Magento CE 1.9.3.8-1.9.3.9 | SUPEE-10888 1.9.3.9 | e9142a3af6039255d924f21aa511d05b |
| Magento CE 1.9.3.10 | the patch is already included | |
| OpenMage v19.4.3 | the patch is already included |
| APPSEC-2061: Authenticated Unauthorised Data Access Via Layout Injection | |
|---|---|
| Type: | XML injection |
| CVSSv3 Severity: | 6.9 |
| Known Attacks: | None |
| Description: | An administrator with limited permissions might be able to obtain information outside of his permissions. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | |
| APPSEC-1971: Reflective XSS against Admin Panel | |
|---|---|
| Type: | General: Cross Site Scripting (reflective) |
| CVSSv3 Severity: | 6.1 |
| Known Attacks: | None |
| Description: | Arbitrary JS can be triggered on the sales order grid page by manipulating one of the URL parameters. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | pocallaghan |
| APPSEC-2067: Admin to Admin XSS in configurable custom attribute label | |
|---|---|
| Type: | General: Cross Site Scripting (stored) |
| CVSSv3 Severity: | 5.9 |
| Known Attacks: | None |
| Description: | Administrator with limited permissions might be able to use XSS attack on another administrator. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | convenient |
| APPSEC-2066: Admin to Admin XSS in Catalog Attribute Media Label | |
|---|---|
| Type: | General: Cross Site Scripting (stored) |
| CVSSv3 Severity: | 5.9 |
| Known Attacks: | None |
| Description: | Administrator with limited permissions might be able to use XSS attack on another administrator. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | convenient |
| APPSEC-2060: Overwrite all Reviews | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Information Exposure |
| CVSSv3 Severity: | 5.9 |
| Known Attacks: | None |
| Description: | In specific configurations, it might be possible to overwrite reviews. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | pocallaghan |
| APPSEC-1859: Reset password URL includes the customer ID | |
|---|---|
| Type: | Privilege Escalation & Enumeration |
| CVSSv3 Severity: | N/A |
| Known Attacks: | None |
| Description: | The reset password link for a customer account includes the customer ID. An attacker can use the customer ID to gain access to the customer account, despite the use of a token. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10, Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6 |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888, Magento 2.1.15, Magento 2.2.6 |
| Reporter: | Internal |
| APPSEC-1730: Downloader does not force to use HTTPS | |
|---|---|
| Type: | Improvement |
| CVSSv3 Severity: | N/A |
| Known Attacks: | None |
| Description: | Downloader now will only use HTTPS connections. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | Internal |
| APPSEC-1936: Customer password recoverable from the database | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Information Exposure |
| CVSSv3 Severity: | N/A |
| Known Attacks: | None |
| Description: | Magento customer password recoverable from the database `sales_flat_quote` table. A malicious user can use a brute-force attack to recover the `global/secret/key` from the `app/etc/local.xml` file, upload a file, and then decrypt it. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | jeroenboersma |
| APPSEC-1933: Moxieplayer Redirect | |
|---|---|
| Type: | Security Misconfiguration: Misconfigured Browser Feature |
| CVSSv3 Severity: | N/A |
| Known Attacks: | None |
| Description: | A Moxieplayer redirect allows an open redirect to any site in an exploitable manner. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | todayisnew |
| APPSEC-2002: E-mail admin users when a new administrator is created. |
|---|
| APPSEC-2002: E-mail admin users when a new administrator is created. | |
|---|---|
| Type: | Improvement |
| CVSSv3 Severity: | N/A |
| Known Attacks: | None |
| Description: | Helps detect recently created admin accounts. Email is sent when new administrator account is created. |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10, Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6 |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888, Magento 2.1.15, Magento 2.2.6 |
| Reporter: | Internal |
| APPSEC-1790: Possibility to inject XML via gift card registry | |
|---|---|
| Type: | XML Injection |
| CVSSv3 Severity: | N/A |
| Known Attacks: | None |
| Description: | Possibility to inject XML via gift card registry |
| Product(s) Affected: | Magento Open Source prior to 1.9.3.10, and Magento Commerce prior to 1.14.3.10. |
| Fixed In: | Magento Open Source 1.9.3.10, Magento Commerce 1.14.3.10, SUPEE-10888 |
| Reporter: | Internal |