1 (888) 997-2457 Chat Status Login
We can help you. Right now.
Fast growing merchants depend on JetRails for high-stakes hosting. Experience counts. Let's get started.
Your message has been received, a representative will be contacting you shortly. if you have an emergency, please call us at 1 (888) 997-2457 or email us at [email protected]









Call us at:1 (888) 997-2457

SUPEE-10266 Released

March 7, 2018
Magento Security
Tom Puchalski
Director of Magento Success

Tom is the Director of Magento Success for JetRails. For over 20 years, he has been passionate about learning new technologies. He has spent his career analyzing thousands of e-commerce stores and transforming businesses through extensive research, insights, best practices & partnerships. He brings his expertise to JetRails by helping customers grow and drive Magento success. At the end of the day, Tom believes ecommerce is about people not just servers.

SUPEE-10266, Magento Commerce (Enterprise) 1.14.3.6 and Open Source (Community) 1.9.3.6 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: [email protected] or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum below.  Read the rest on the Magento site.

 

13 Updates:

APPSEC-1838: RSS session admin cookie can be used to gain Magento administrator privileges.
APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts
APPSEC-1835: Exposure of Magento secret key from app/etc/local.xml
APPSEC-1757: Directory traversal in template configuration
APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group)
APPSEC-1494: AdminNotification Stored XSS
APPSEC-1793: Potential file uploads solely protected by .htaccess
APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template
APPSEC-1729: XSS in admin order view using order status label in Magento
APPSEC-1579: Customer Segment Delete Action uses GET instead of POST request
APPSEC-1588: Order Item Custom Option Disclosure
APPSEC-1599: Admin login does not handle autocomplete feature correctly
APPSEC-1688: Secure cookie check to prevent MITM not expiring user sessions

Please refer to SECURITY BEST PRACTICES for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.

More Articles
The Journey to Choosing Magento Developers
View Article
SUPEE-10975 Patch, Magento Commerce 1.14.4 , Open Source 1.9.4, and Magento 2.3 General Releases
View Article
Meet Magento NYC 2018 Highlights
View Article