UPDATE: Pathces for magento versions prior to 1.9 have been pulled for now and will be re-released in the next couple of days.
SUPEE-8788, Enterprise Edition 1.14.3 and Community Edition 1.9.3 address Zend framework and payment vulnerabilities, ensure sessions are invalidated after a user logs out, and make several other security enhancements that are detailed below.
The patch covers some critical vulnerabilities
- APPSEC-1484 – Remote Code Execution in checkout
- APPSEC-1480 – SQL injection in Zend Framework
Some rated as High threat
- APPSEC-1488 – Stored XSS in invitations
- APPSEC-1247 – Block cache exploit
- APPSEC-1517 – Log in as another customer
And a rangeof Medium threats.
- APPSEC-1375 – Remote Code Execution in admin
- APPSEC-1338 – Full Page Cache poisoning
- APPSEC-1436 – XSS vulnerability in URL processing
- APPSEC-1211 – XSS in categories management
- APPSEC-1058 – GIF flooding
- APPSEC-666 – Cross-site scripting in Flash file uploader
- APPSEC-1282: Filter avoidance
- APPSEC-327 – CSRF in several forms
- APPSEC-1189 – CSRF on removing item from Wishlist or Address Book
- APPSEC-1478: Session does not expire on logout
- APPSEC-1106 – Lack of certificate validation enables MitM attacks
- APPSEC-995 – Timing attack on hash checking
Needless to say the patch should be applied as soon as possible. Ideally, as your developer to apply or if you need us to apply please raise a ticket.
Full details as always here: https://magento.com/security/patches/supee-8788
The patch cooincides with a new release of Magento 1x which now reaches 1.9.3.0
There are a range of side effects and things to look out for here: