To install SUPEE-10975 please refer to the following articles: or use our Magento Patch installation service to install all security patches at once.
Note: There are some Known issues for this patch.
Download SUPEE-10975
Magento version | SUPEE-10975 | MD5 checksum |
---|---|---|
Magento CE 1.5.1.0 | SUPEE-10975 1.5.1.0 | c6a755c6096b5e5569f94d9546faf060 |
Magento CE 1.6.2.0 | SUPEE-10975 1.6.2.0 | 69f2dce956d1d5b5044bc49c3177436b |
Magento CE 1.7.0.2 | SUPEE-10975 1.7.0.2 | bdf6f1ecb1a7d5b3accaa7b35bcaa709 |
Magento CE 1.8.0.0 | SUPEE-10975 1.8.0.0 | 0c08721a4240ae025ed6f9e8e13b0af0 |
Magento CE 1.8.1.0 | SUPEE-10975 1.8.1.0 | ddb6f729f7c300fcabcf16b63a201f07 |
Magento CE 1.9.0.0-1.9.0.1 | SUPEE-10975 1.9.0.1 | e11411275787763252389d2f76caa9dd |
Magento CE 1.9.1.0-1.9.1.1 | SUPEE-10975 1.9.1.1 | d38152ca87e3202b9b68a199584fb262 |
Magento CE 1.9.2.0-1.9.3.3 | SUPEE-10975 1.9.3.3 | b14ad19c443f211c06b8eced3bf2fa16 |
Magento CE 1.9.3.4-1.9.3.10 | SUPEE-10975 1.9.3.10 | a378b0b9b6fc59c7338d6c8bf8019f54 |
Magento CE 1.9.4.0-1.9.4.5 | the patch is already included | |
OpenMage v19.4.3 and newer | the patch is already included |
PRODSECBUG-1589: Stops Brute Force Requests via basic RSS authentication | |
---|---|
Type: | Brute Force Login / Session Identifier |
CVSSv3 Severity: | 9.0 |
Known Attacks: | none |
Description: | Attacker is able to brute force requests to the RSS nodes that require admin authentication. With this, attacker would be able to guess the admin password. |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0. |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975 |
Reporter: | NA |
MAG-23: M1 Credit Card Storage Capability | |
---|---|
Type: | Compliance Requirement |
CVSSv3 Severity: | 9.0 |
Known Attacks: | none |
Description: | Removes functionality enabling M1 customers to store credit card data in the database. |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0. |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975 |
Reporter: | NA |
PRODSECBUG-2149: Authenticated RCE using customer import | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.5 |
Known Attacks: | none |
Description: | Restricts Admin users with access to edit product attributes from running customer imports while executing arbitrary code using a serialized string that have been set as validate_rules on an attribute. |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0. |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975 |
Reporter: | Fabain |
PRODSECBUG-2159: API Based RCE Vulnerability | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.5 |
Known Attacks: | none |
Description: | By activating an API, including the ability to add products, it is possible to send base64-encoded content to an unauthorized file and with it, excute an RCE |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | sambecks |
PRODSECBUG-2156: RCE Via Unauthorized Upload | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.5 |
Known Attacks: | none |
Description: | Prevents a user from uploading unauthorized files while attaching videos |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | mortis |
PRODSECBUG-2155: Authenticated RCE using dataflow | |
---|---|
Type: | Remote Code Execution (RCE) |
CVSSv3 Severity: | 8.5 |
Known Attacks: | none |
Description: | Prevents Admin users with access to dataflow functionallity from executing arbitrary code using a specially crafted serialized string |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0. |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975 |
Reporter: | Fabain |
PRODSECBUG-2053: Prevents XSS in Newsletter Template | |
---|---|
Type: | Cross-Site Scripting (XSS) |
CVSSv3 Severity: | 6.5 |
Known Attacks: | none |
Description: | Strengthens Newletter Template Settings to prevent possible XSS Attack |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | NA |
PRODSECBUG-2142: XSS in CMS Preview | |
---|---|
Type: | Cross-Site Scripting (XSS) |
CVSSv3 Severity: | 6.5 |
Known Attacks: | none |
Description: | An administrator on Magento 1 with permissions to edit CMS pages can insert script tags into the version history label which will trigger when another administrator previews a page which is standard practice prior to publishing content updates. The malicious script tag does not need to be the most recent entry, it just needs to exist in the history. As such a malicious actor would be able to insert the bad label in the non-current entry to avoid suspicion as this would not be obvious. This could then sit for some time until an administrator comes to preview the cms page before making an edit, allowing the malicious actor to perform actions as that user and gain additional privileges. |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0. |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975 |
Reporter: | convenient |
PRODSECBUG-1860: Admin Account XSS Attack Cessation via Filename. | |
---|---|
Type: | Cross-Site Scripting (XSS) |
CVSSv3 Severity: | 6.5 |
Known Attacks: | none |
Description: | An attacker with access to upload can craft an image with a malicious file name in order to execute an XSS attack. |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0. |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975 |
Reporter: | mpchadwick |
PRODSECBUG-2119: EE Patch to include names in templates | |
---|---|
Type: | Insufficient Data Protection |
CVSSv3 Severity: | 6.5 |
Known Attacks: | none |
Description: | Enterprise Edition misses several unescaped website, store and store group names |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0. |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975 |
Reporter: | NA |
PRODSECBUG-2129: XSS in Google Analytics Vulnerability | |
---|---|
Type: | Cross-Site Scripting (XSS) |
CVSSv3 Severity: | 6.5 |
Known Attacks: | none |
Description: | An administrator on Magento 1 with permissions to update the Google Analytics configuration can trigger XSS vulnerability when another administrator issues a Credit Memo.This attack could allow one administrator to trigger privileged requests from another users account, changing further configuration or chaining together further attacks. |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0. |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975 |
Reporter: | convenient |
PRODSECBUG-2019: Merchant Wishlist Security Strenghening | |
---|---|
Type: | Brute Force (Generic) / Insufficient Anti-automation |
CVSSv3 Severity: | 5.3 |
Known Attacks: | none |
Description: | Prevents unwanted spamming of user wishlists |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0. |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975 |
Reporter: | NA |
PRODSECBUG-2104: Send to a Friend Vulnerability | |
---|---|
Type: | Brute Force (Generic) / Insufficient Anti-automation |
CVSSv3 Severity: | 5.3 |
Known Attacks: | none |
Description: | Send to a friend feature does not allow for CAPTCHA to be enabled. At least 1 merchant has been targeted by bot attacks resulting in Sendgrid credits being maxed out. |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0. |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975 |
Reporter: | Internal Staff |
PRODSECBUG-2125: CSRF on deletion of Blocks Vulnerability | |
---|---|
Type: | Cross-Site Request Forgery (CSRF) |
CVSSv3 Severity: | 4.2 |
Known Attacks: | none |
Description: | Prevents a cross site request forgery vulnerability which can delete all Blocks at once |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0. |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975 |
Reporter: | Djordje-marjanovic |
PRODSECBUG-2088: CSRF Vulnerabilty related to Customer Group Deletion | |
---|---|
Type: | Cross-Site Request Forgery (CSRF) |
CVSSv3 Severity: | 4.2 |
Known Attacks: | none |
Description: | Prevents possible deletion of customer group information via escalated privilege |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | Djordje-marjanovic |
PRODSECBUG-2140: CSRF on deletion of Site Map | |
---|---|
Type: | Cross-Site Request Forgery (CSRF) |
CVSSv3 Severity: | 4.2 |
Known Attacks: | none |
Description: | Prevents the deletion of customer groups via a GET request in versions of M1 |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0. |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975 |
Reporter: | Djordje-marjanovic |
PRODSECBUG-2108: Outdated jQuery causing PCI scanning failures | |
---|---|
Type: | Compliance Requirement |
CVSSv3 Severity: | 0.0 |
Known Attacks: | none |
Description: | Updated Jquery to the newest version |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | Internal Staff |
MAG-12, MAG-2: Encryption Keys Stored in Plain Text |
---|
MAG-12, MAG-2: Encryption Keys Stored in Plain Text | |
---|---|
Type: | Information Disclosure / Leakage (Confidential or Restricted) |
CVSSv3 Severity: | 0.0 |
Known Attacks: | none |
Description: | Support encrypted of backups out-of-the-box. For example allow the user to set a password that is used to unlock the backups. It is acceptable if the user willingly opts out, but this should be a supported feature. |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7 |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975, Magento 2.1.16, Magento 2.2.7, Magento 2.3.0 |
Reporter: | NA |
PRODSECBUG-2141: Unauthorized Admin Panel Bypass | |
---|---|
Type: | Privilege Escalation |
CVSSv3 Severity: | 0.0 |
Known Attacks: | none |
Description: | Prevents a vulneraiblity whereby admin panel can be accessed regardless of the actual request URI is, bypassing IP whitelisting in M1 |
Product(s) Affected: | Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0. |
Fixed In: | Magento Open Source 1.9.4.0, Magento Commerce 1.14.4.0, SUPEE-10975 |