SUPEE-10888 is the latest security patch update for both Magento Commerce 1.14.3.10 and Open Source 1.9.3.10. SUPEE-10888 was released on September 10, 2018, and addresses a range of security problems, including remote cross-site scripting and cross-site request for forgery. The patch also includes several performance enhancements to improve the functionality of the Magento Commerce and Open Source platforms.

 

Magento Security Patch SUPEE-10888 is available now to be installed with professional Magento managed support in the following versions:

 

  • For Magento Commerce 1.9.0.0-1.14.3.10 users, install either SUPEE-10888 or Magento Commerce 1.14.3.10.

 

  • For Magento Open Source 1.5.0.0-1.9.3.10 users, install either SUPEE-10888 or Magento Open Source 1.9.3.10.

 

The Magento ongoing support experts at top Magento agency Forix highly recommend that all merchants update their Magento platforms with the SUPEE-10888 security patch to ensure the safety of their online stores and access the benefits of improved performance for their Magento Commerce and Open Source platforms.

 

Security Improvements

 

You can anticipate enhanced protection from the following security threats after upgrading to Magento Security Patch SUPEE-10888 with Magento managed services from your Magento developer Forix.

 

APPSEC-2061: Authenticated Data Breach Through Layout Injection

 

This security threat enables an administrator with restricted privileges to acquire information to which he or she does not have access. This issue impacted Magento Open Source versions before 1.9.3.10, as well as Magento Commerce versions before 1.14.3.10.

 

APPSEC-1971: Reflective XSS Against Admin Grid

 

This cross-site scripting security issue allows the activation of arbitrary JS on the sales panel page through the configuration of one of the URL limitations.

 

APPSEC-1859: Reset password URL Contains the Customer ID

 

This security risk empowers an attacker to access a customer’s ID in the reset password link for the user’s account. The attacker can then utilize the user’s ID to obtain access to the customer’s account and information.

 

APPSEC-2067: Admin to Admin XSS in Modified Custom Attribute Labels

 

This security issue can potentially permit an admin with restricted privileges to use an XSS cross-site scripting assault on a different admin.

 

APPSEC-2066: Admin to Admin XSS in Catalog Configured Media Label

 

This prospective security breach involves an administrator with limited privileges using a cross-site scripting attack against another administrator in the system.

 

PPSEC-2060: Overwrite All Reviews

 

This information exposure security threat makes it possible to overwrite reviews and data with certain types of configurations.

 

APPSEC-1936: Customer Information Available Through the Data Base

 

This security threat enables a user with malicious intent to employ a brute force attack to generate the global/secret/key in the app/local database. The user can then access and decrypt the file to obtain the password of a Magento customer from the sales quote table of the database.

 

APPSEC-1933: Moxieplayer Redirect

 

This is a security configuration risk, so potential threat permits Moxieplayer redirect to open on any site to exploit users.

 

Performance Enhancements

 

In addition to protection from the aforementioned security threats, you can expect to see several performance improvements when you install Magento Security Patch SUPEE-10888 with the assistance of Magento managed services from top Magento developer Forix, including:

 

APPSEC-2002: Automatic E-mail When a New Admin Account Is Established 

 

This performance improvement helps identify recently established admin accounts by sending an email whenever a new admin is created.

 

APPSEC-1730: User Doesn’t Compel HTTPS Usage

 

This new feature ensures the downloaders can only employ HTTPS connections.

 

Still curious about SUPEE-10888? Get in touch with an expert at Forix to hear more.