You can download SUPEE-11086 patch for your Magento version on this page, just right click and select “Save file as” from the table below.
It can be applied in the same way as any previous patch, i.e. SUPEE-11085 or via our patch installation service along with all missing security patches at once.
Note: There are some Known issues for this patch.
ZIP bundle for patch installation via file upload
Unpack and copy folders to your Magento root directory.Note: ZIP-bundle include SUPEE-11086 and also MPERF-10565 correcting the known issue with logging to non-existent files.
| Magento version | SUPEE-11086 + MPERF-10565 |
|---|---|
| Magento 1.9.4.1 (MPERF-10565 only) | |
| Magento 1.9.4.0 | SUPEE-11086-1.9.4.0 |
| Magento 1.9.3.10 | SUPEE-11086-1.9.3.10 |
| Magento 1.9.3.9 | SUPEE-11086-1.9.3.9 |
Download SUPEE-11086 (.SH Shell script)
| Magento version | SUPEE-11086 | MD5 checksum |
|---|---|---|
| Magento CE 1.6.2.0 | SUPEE-11086 1.6.2.0 | 029ce045ae30fcaad1703515b6833c60 |
| Magento CE 1.7.0.2 | SUPEE-11086 1.7.0.2 | 71bb1a8e5a1d415918d3e552105f1518 |
| Magento CE 1.8.1.0-1.9.1.1 | SUPEE-11086 1.9.1.0 | ca90cdb3d185e8a3041d16e92e597e2b |
| Magento CE 1.9.2.0-1.9.2.4 | SUPEE-11086 1.9.2.4 | 92066c4028b37f50e0dbde59a89c0619 |
| Magento CE 1.9.3.0-1.9.3.10 | SUPEE-11086 1.9.3.10 | 7317c089e5b56417548d1374c2954e68 |
| Magento CE 1.9.4.0 | SUPEE-11086 1.9.4.0 | 0d38f8335fea87fe35f2b47d8186503f |
| Magento CE 1.9.4.1 | the patch is included already | |
| OpenMage v19.4.3 | the patch is included already |
| PRODSECBUG-2198: SQL Injection vulnerability through an unauthenticated user | |
|---|---|
| Type: | Injections: SQL |
| CVSSv3 Severity: | 9.0 |
| Known Attacks: | none |
| Description: | An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | cfreal |
| PRODSECBUG-2285: Remote code execution via server side request forgery issued to Redis | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.5 |
| Known Attacks: | none |
| Description: | An authenticated user with administrative privileges to store configuration can execute arbitrary code via server side request forgery (SSRF) issued to Redis. SSRF is are facilitated through crafted gateway XML URL configuration. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2273: Arbitrary code execution due to unsafe handling of a malicious product attribute configuration | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to configure products can execute arbitrary PHP code. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | Blaklis_ |
| PRODSECBUG-2261: Arbitrary code execution due to unsafe deserialization of a PHP archive | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.5 |
| Known Attacks: | none |
| Description: | An authenticated user with administrative privileges can execute arbitrary code through a Phar deserialization vulnerability. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | Simon Scannell |
| PRODSECBUG-2253: Arbitrary code execution due to unsafe handling of a malicious layout update | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to the dataflow importer and catalog categories can execute arbitrary PHP code. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | Luke Rodgers |
| PRODSECBUG-2203: Remote code execution through PHP code that can be uploaded to the ngnix server due to crafted customer store attributes | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to modify a customer’s store attributes can execute arbitrary code when allowed to upload PHP input files to the ngnix server. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2210: Remote code execution through arbitrary XML data sent through a layout table | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.5 |
| Known Attacks: | none |
| Description: | An authenticated user with administrative privileges to modify layouts can execute arbitrary code by injecting arbitrary XML data into a layout table. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | Pete O’Callaghan |
| PRODSECBUG-2252: Arbitrary code execution through bypass of PHP file upload restriction | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to system configuration files can bypass file upload restrictions and allow arbitrary upload and execution of arbitrary PHP code. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | Luke Rodgers |
| PRODSECBUG-2232: Arbitary code execution due to bypass of layout validator | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges can bypass the layout validator and execute arbitrary code through layout updates in the Admin. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | Pete O’Callaghan |
| PRODSECBUG-2245: Stored cross-site scriptingin the escaper framework | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 7.6 |
| Known Attacks: | none |
| Description: | An authenticated user with administrative privileges can eecute arbitrary script code via a stored cross site scripting vulnerability using new line in escaper framework. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2182: Reflected cross-site scriptingin the product widget chooser section of the Admin | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 6.5 |
| Known Attacks: | none |
| Description: | An authenticated user with administrative privileges can embed arbitrary code in the product widget chooser section of the Admin. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | magecraze |
| MPERF-10416: Deletion of Catalog rules through cross-site request forgery | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | none |
| Description: | An attacker can use cross-site request forgery to delete Catalog rules within the context of an authenticated administrator’s session. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | Internal |
| MPERF-10400: Deletion of Catalog products through cross-site request forgery | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | None |
| Description: | An attacker can use cross-site request forgery to delete Catalog products within the context of an authenticated administrator’s session. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | Internal |
| PRODSECBUG-2178: Stored cross-site scripting in the admin panel via the Admin Shopping Cart Rules page | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | none |
| Description: | An authenticated user with administrative privileges can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | magecraze |
| PRODSECBUG-2227: Deletion of SOAP/XML-RPC-User and SOAP/XML-RPC-Role through cross-site request forgery | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | none |
| Description: | An attacker can delete SOAP/XML-RPC-User and SOAP/XML-RPC-Role within the context of an authenticated administrator’s session through cross-site request forgery. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | djordje-marjanovic |
| PRODSECBUG-2222: Deletion of user roles through cross-site request forgery | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | none |
| Description: | An attacker can delete user roles through cross-site request forgery within the context of an authenticated administrator’s session. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | djordje-marjanovic |
| PRODSECBUG-2220: Deletion of store design schedule through cross-site request forgery | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | none |
| Description: | An attacker can delete the store design schedule within the context of an authenticated administrator’s session through cross-site request forgery. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | djordje-marjanovic |
| PRODSECBUG-2212: Deletion of shopping cart price rules through cross-site request forgery | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | none |
| Description: | An attacker can delete the shopping cart price rules within the context of an authenticated administrator’s session through cross-site request forgery. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | magecraze |
| PRODSECBUG-2254: Deletion of REST-Role and REST-OAuth Consumer, and change of REST-Attribute via cross-site request forgery | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | none |
| Description: | An attacker can delete REST-Role and REST-OAuth Consumer, and change REST-Attribute within the context of authenticated administrator’s session via cross-site request forgery. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | djordje-marjanovic |
| PRODSECBUG-2195: Deletion of a product attribute through cross-site request forgery | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | none |
| Description: | An attacker can delete a product attribute within the context of authenticated administrator’s session through cross-site request forgery. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | djordje-marjanovic |
| PRODSECBUG-2225: Deletion of an Admin user through cross-site request forgery | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | none |
| Description: | An attacker can delete an administrative user through cross-site request forgery within the context of an authenticated administrator’s session. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | djordje-marjanovic |
| PRODSECBUG-2244: Stored cross-site scripting in the Admin through the Email Template Preview section | |
|---|---|
| Type: | General: Cross Site Scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges can embed malicious code in the Email Template Preview section of the Admin. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | Roberto Suggi Liverani |
| PRODSECBUG-2230: Data manipulation due to improper validation | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.4 |
| Known Attacks: | none |
| Description: | An authenticated usercan manipulate datawithout required validation. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | Pete O’Callaghan |
| PRODSECBUG-2197: Admin credentials are logged in exception reports | |
|---|---|
| Type: | Information Disclousure |
| CVSSv3 Severity: | 3.9 |
| Known Attacks: | none |
| Description: | Exception error reports capture administrative credentials in clear text format |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | magecraze, Matt Hamm |
| PRODSECBUG-2186: Unauthorized access to the order list through an insecure direct object reference in the application. | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Insecure Direct Object Reference |
| CVSSv3 Severity: | 3.7 |
| Known Attacks: | none |
| Description: | A registered user can enumerate and access an unauthorized order list through insecure direct object reference in the application. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1. |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086 |
| Reporter: | Roberto Suggi Liverani |