SUPEE-10266, Magento Commerce (Enterprise) 220.127.116.11 and Open Source (Community) 18.104.22.168 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.
As always, install the patch in a development environment and test before applying it to your live site.
If you need any assistance with security patch updates, please send an email to: [email protected] or contact your Account Manager at eBoundHost.
For your convenience, we have quoted some of the announcement from Magento’s Forum below.
APPSEC-1838: RSS session admin cookie can be used to gain Magento administrator privileges.
APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts
APPSEC-1835: Exposure of Magento secret key from app/etc/local.xml
APPSEC-1757: Directory traversal in template configuration
APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group)
APPSEC-1494: AdminNotification Stored XSS
APPSEC-1793: Potential file uploads solely protected by .htaccess
APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template
APPSEC-1729: XSS in admin order view using order status label in Magento
APPSEC-1579: Customer Segment Delete Action uses GET instead of POST request
APPSEC-1588: Order Item Custom Option Disclosure
APPSEC-1599: Admin login does not handle autocomplete feature correctly
APPSEC-1688: Secure cookie check to prevent MITM not expiring user sessions
Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.
Visit the official Magento site for more details, or continue to learn more about best-practices for securing your Magento store.