Test that your store is working. You are commenting using your WordPress. You are commenting using your Google account. You are commenting using your Twitter account. You are commenting using your Facebook account. Notify me of new comments via email. Notify me of new posts via email. November 21, New SUPEE patch ontain multiple security enhancements that help close cross-site request forgery CSRF , unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities.
These releases also include fixes for issues with image reloading and payments using one-step checkout. You can install it in the same way as previous patches or by upgrading to Magento 1. Share this: Twitter Facebook. Like this: Like Loading Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:. Email required Address never made public. An attacker with the ability to launch a Man-in-the-middle attack on a network connection could inject code on the Magento Admin RSS feed.
An attacker can target non-Apache installations for example, Nginx to upload executable scripts that can be used to stage additional exploitations. A Magento administrator with limited privileges can exploit a vulnerability in the newsletter template to create a URL that can be used as part of a CSRF attack.
An administrator can inject code in sales order records, which can result in an XSS attack on anyone that views the page. A Magento administrator can perform malicious actions through an inadequate security check of the form key in the customer segment page. An attacker can craft a URL request on a Magento site during checkout and retrieve information about past orders.
Several fields in the Admin panel do not correctly handle autocomplete, which could result in a potential information leak when a browser tries to autocomplete the field. Magento does not properly validate session cookies, or cause them to expire, which potentially permits visitors to use expired cookies to interact with a store. Please refer to Security Best Practices for additional information on how to secure your site. Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.
0コメント