Magento Security Patch SUPEE-10415

 

The Magento SUPEE-10415 Security Patch was released on November 28, 2017, and it addresses various issues in the Magento 1.x Platform. We highly recommend vendors download this update as soon as possible to receive the protection, as well as the benefits, of the fixes. Read on to learn about the details and repairs, and how to get help installing it.

 

Why Install Magento’s SUPEE-10415 Security Patch?

Security improvements in SUPEE-10415, Open Source 1.9.3.7, and Magento Commerce 1.14.3.7 will address numerous vulnerabilities such as the following:

  • Remote code execution (RCE)
  • Cross-site request forgery (CSRF)
  • Cross-site scripting

 

You can expect the following fixes and benefits with the Magento Security Patch SUPEE-10415:

  • Magento Commerce 1.14.3.7: Previously, when a user loaded the Admin, an “invalid security key; please refresh page” message would appear. This issue has been resolved. Also, a typo was corrected in the patch header information. And finally, a “no payment required” message is displayed when one of your customers checks out and no amount is due. These fixes will benefit your site, as the improved functions minimize errors and encourage users with reliable information about what is needed to complete a transaction.
  • Magento Open Source 1.9.3.7: Before this security patch, when a user loaded the Admin, an “invalid secret key; please refresh the page” message would show. This issue has been resolved. Additionally, a typo was fixed in the patch header information: what was previously “pawwsord” has been corrected to “password.” Also, your customers will be further encouraged to complete a transaction that requires no funds due. A “no payment information required” message will now appear.

 

What follows is a list of a few high-severity-risk issues the Magento Security Patch SUPEE-10415 will fix.

 

APPSEC-1894: RCE (Unsafe Unserialization)

Rated as a high 8.2 risk as per CVSSv3 severity, this is an RCE fix. There have been no known attacks, but an administrator with limited privileges could add injectable code in promo fields. This would create vulnerability to an arbitrary remote code execution.

 

APPSEC-1913: RCE (Config Manipulation)

Rated as a high 7.2 risk as per CVSSv3 severity, this is another RCE fix. There have been no known attacks, but an administrator with limited privileges could add a malformed configuration bypass, which would create a file redirection that could be used in an arbitrary remote code execution.

 

APPSEC-1915: RCE (CMS Page Area)

Rated as a high 8.2 risk as per CVSSv3 severity, this is another RCE fix.
There have been no known attacks, but an administrator with limited privileges could create a CMS page that could be parsed incorrectly, which could lead to an arbitrary remote code execution.

 

APPSEC-1830: PHP Object Injection in Product Attributes

Rated as a high 8.2 risk as per CVSSv3 severity, this remote code execution fix has had no previous attacks. An administrator with limited privileges could add a widget block that included a malicious code, which could have led to an arbitrary remote code execution.

 

Apply the Magento SUPEE-10415 Patch Installed Today

For protection against the above threats and others not listed, install the Magento Security Patch SUPEE-10415. Your site will be improved and safer, and Forix ensures that your installation will be implemented correctly. Upgrade now to get the latest fixes, features, and security updates.