SUPEE-10266, Magento Commerce 1.14.3.6 and Open Source 1.9.3.6 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.

If you don’t want to upgrade your PHP version to 1.9.3.6 then you can just install this security patch and it includes security feature added to Magento 1.9.3.6, so it’s equal to 1.9.3.6 Magento version.

SUPEE-10266 for Magento Commerce (Enterprise Edition) includes a fix for a functional issue MPERF-9685, related to checkout with a zero order amount. This fix is not included in release 1.14.3.6. However, in some cases, SUPEE-10266 can cause issues in the checkout process. Specifically, if a customer enables the Add gift options checkbox during checkout, the checkout process will not progress beyond the payments step.

Magento is working on fixing this issue and will release patch SUPEE-10266v2 for Magento Commerce shortly to address it.

Magento Commerce 1.9.0.0-1.14.3.4: SUPEE-10266 or upgrade to Magento Commerce 1.14.3.6

Magento Open Source 1.5.0.0-1.9.3.4: SUPEE-10266 or upgrade to Magento Open Source 1.9.3.6

List of Issues Addressed by this Security Patch

  • RSS session admin cookie can be used to gain Magento administrator privileges: An attacker can use a low privilege RSS session cookie to escalate privileges and gain access to the Magento Admin Portal.
  • Remote Code Execution vulnerability in CMS and layouts
  • Exposure of Magento secret key from app/etc/local.xml: An administrator with limited privileges can create content that references and exposes sensitive Magento installation information that could be leveraged in further exploitation.
  • Directory traversal in template configuration: An administrator with limited privileges can force Magento store notifications to include internal system files.
  • CSRF + Stored Cross Site Scripting (customer group): A Magento administrator with limited privileges can exploit a vulnerability in the customer group to create a URL that can be used as part of CSRF attack.
  • AdminNotification Stored XSS: An attacker with the ability to launch a Man-in-the-middle attack on a network connection could inject code on the Magento Admin RSS feed.
  • Potential file uploads solely protected by .htaccess: An attacker can target non-Apache installations (for example, Nginx) to upload executable scripts that can be used to stage additional exploitation.
  • CSRF + Stored Cross Site Scripting in newsletter template: A Magento administrator with limited privileges can exploit a vulnerability in the newsletter template to create a URL that can be used as part of a CSRF attack.
  • XSS in admin order view using order status label in Magento: An administrator can inject code in sales order records, which can result in an XSS attack on anyone that views the page.
  • Customer Segment Delete Action uses GET instead of POST request: A Magento administrator can perform malicious actions through an inadequate security check of the form key in the customer segment page.
  • Order Item Custom Option Disclosure: An attacker can craft a URL request on a Magento site during checkout and retrieve information about past orders.
  • Admin login does not handle autocomplete feature correctly: Several fields in the Admin panel do not correctly handle autocomplete, which could result in a potential information leak when a browser tries to autocomplete the field.
  • Secure cookie check to prevent MITM not expiring user sessions: Magento does not properly validate session cookies or cause them to expire, which potentially permits visitors to use expired cookies to interact with a store.