The Magento 1.9.3.10 update contains the security patch SUPEE-10888 released on September 10. This patch fixes multiple critical security issues, like cross-site scripting and data overwrite, for all versions of Magento below 1.9.3.10. This update should be installed as soon as possible to protect your site from hackers who could exploit these vulnerabilities in the future.
Magento announced that it will provide security patches for Magento Open Source 1.5 to 1.9 until June 2020, after that day you have to either upgrade your store to Magento 2 to remain secure or rely on the Magento community to provide those patches.
Here an overview of the fixes vulnerabilities:
- APPSEC-2061: Authenticated Unauthorised Data Access Via Layout Injection
- APPSEC-1971: Reflective XSS against Admin Panel
- APPSEC-2067: Admin to Admin XSS in configurable custom attribute label
- APPSEC-2066: Admin to Admin XSS in Catalog Attribute Media Label
- APPSEC-2060: Overwrite all Reviews
- APPSEC-1859: Reset password URL includes the customer ID
- APPSEC-1730: Downloader does not force to use HTTPS
- APPSEC-1936: Customer password recoverable from the database
- APPSEC-1933: Moxieplayer Redirect
- APPSEC-2002: E-mail admin users when a new administrator is created.
- APPSEC-1790: Possibility to inject XML via gift card registry
Do not forget to create backups of your site before installing updates.
(Image by peshkova)
