The patch included fix for CVE-2020-9591 (Unauthorized access to admin panel), also known as MPERF-10898.
On May 12, 2020 second version of this patch SUPEE-11314v2 was released to correct critical admin authorization bypass bug introduced in v1 version. If you installed v1 version it is required to revert it as soon as possible and install SUPEE-11314v2 instead.
You can download SUPEE-11314v2 patch for your Magento version below, just right click and select “Save file as” from the table below.
Note: Install this and any other missing patches with our Magento patch installation service or upgrade to OpenMage LTS v19.4.15 (released on August 26, 2021).
What is changed in the patch?
- Customers passwords and admin passwords are now saved with a different hash method, the password hash is updated on login event via observer
- default themes are updated to use new method for wishlist, compare and add-to-cart functions (just like in SUPEE-11219)
- authorization via Admin SID is now disabled by default
- jquery library updated
Note: There are some Known issues for this patch.
Known issues
- New admin users with NULL data after SUPEE-11314
- SagePay Suite Admin/Backend (MOTO) payments don’t work after SUPEE-11314
- Certain modules that makes use of Admin SIDs don’t work after update
Download SUPEE-11314
| Magento version | SUPEE-11314v2 | MD5 checksum |
|---|---|---|
| Magento CE 1.5.1.0 | SUPEE-11314 1.5.1.0 | 1ce1e85c4cd1b59d923d78b6d68078c1 |
| Magento CE 1.6.2.0 | SUPEE-11314 1.6.2.0 | eb28ccd8a171db10c4a838457e782e11 |
| Magento CE 1.7.0.2 | SUPEE-11314 1.7.0.2 | b7885c310d6d0a3596b1f28b1948ca04 |
| Magento CE 1.8.0.0 | SUPEE-11314 1.8.0.0 | 9680f71fb214ff6b2ee79d5df98849fc |
| Magento CE 1.8.1.0 | SUPEE-11314 1.8.1.0 | 976448e7c63a5bec1c1be4782b0d35fa |
| Magento CE 1.9.0.0-1.9.0.1 | SUPEE-11314 1.9.0.1 | 056dac41018949feebda1360b0e54d42 |
| Magento CE 1.9.1.0 | SUPEE-11314 1.9.1.0 | 9622d5d1497025a8bfddcad31443f4f0 |
| Magento CE 1.9.1.1 | SUPEE-11314 1.9.1.1 | ade35426b537eb4ddfea6ccb7b498545 |
| Magento CE 1.9.2.0-1.9.2.4 | SUPEE-11314 1.9.2.4 | d141210b409b159b41f7422a1bb67ea2 |
| Magento CE 1.9.3.0-1.9.4.4 | SUPEE-11314 1.9.4.4 | 19fa2e07fc6382c505e444d1923608bb |
| Magento CE 1.9.4.5 | the patch is already included | |
| OpenMage 19.4.3 | the patch is already included |
Files changed
The following files are changed in SUPEE-11314:app/code/core/Mage/Admin/Model/Observer.php app/code/core/Mage/Admin/Model/Session.php app/code/core/Mage/Admin/Model/User.php app/code/core/Mage/Admin/etc/config.xml app/code/core/Mage/Api/Model/User.php app/code/core/Mage/Api2/Model/Observer.php app/code/core/Mage/Api2/etc/config.xml app/code/core/Mage/Core/Model/Encryption.php app/code/core/Mage/Core/etc/config.xml app/code/core/Mage/Customer/Model/Customer.php app/code/core/Mage/Customer/Model/Observer.php app/code/core/Mage/Customer/etc/config.xml app/code/core/Mage/Dataflow/Model/Profile.php app/design/frontend/base/default/template/catalog/product/compare/list.phtml app/design/frontend/base/default/template/catalog/product/list.phtml app/design/frontend/base/default/template/catalog/product/list/related.phtml app/design/frontend/base/default/template/catalog/product/view.phtml app/design/frontend/base/default/template/catalog/product/view/addto.phtml app/design/frontend/base/default/template/catalog/product/widget/new/content/new_grid.phtml app/design/frontend/base/default/template/catalog/product/widget/new/content/new_list.phtml app/design/frontend/base/default/template/checkout/cart/crosssell.phtml app/design/frontend/base/default/template/checkout/cart/item/default.phtml app/design/frontend/base/default/template/checkout/cart/shipping.phtml app/design/frontend/base/default/template/checkout/cart/sidebar/default.phtml app/design/frontend/base/default/template/checkout/onepage/billing.phtml app/design/frontend/base/default/template/checkout/onepage/review/info.phtml app/design/frontend/base/default/template/customer/form/changepassword.phtml app/design/frontend/base/default/template/customer/form/edit.phtml app/design/frontend/base/default/template/customer/form/register.phtml app/design/frontend/base/default/template/customer/form/resetforgottenpassword.phtml app/design/frontend/base/default/template/downloadable/checkout/cart/item/default.phtml app/design/frontend/base/default/template/persistent/checkout/onepage/billing.phtml app/design/frontend/base/default/template/persistent/customer/form/login.phtml app/design/frontend/base/default/template/persistent/customer/form/register.phtml app/design/frontend/base/default/template/reports/widget/compared/content/compared_grid.phtml app/design/frontend/base/default/template/reports/widget/compared/content/compared_list.phtml app/design/frontend/base/default/template/reports/widget/viewed/content/viewed_grid.phtml app/design/frontend/base/default/template/reports/widget/viewed/content/viewed_list.phtml app/design/frontend/base/default/template/wishlist/item/column/cart.phtml app/design/frontend/base/default/template/wishlist/shared.phtml app/design/frontend/base/default/template/wishlist/sidebar.phtml js/lib/jquery/jquery-1.12.1.js js/lib/jquery/jquery-1.12.1.min.js js/lib/jquery/jquery-1.12.1.min.map