work-banner.jpg

Wagento Blog

Magento

New Magento 1.x Security Updates

This entry was posted on November 30, 2017 by Saurabh Parikh

Magneto  Updates.jpg

Magento is releasing new versions of Magento Commerce and Magento Open Source to increase product security

  • Magento Commerce 1.14.3.7
  • Magento Open Source 1.9.3.7
  • SUPEE-10415 (patch for earlier Magento 1.x versions)

These releases contain multiple security changes that help close cross-site scripting and authenticated Admin user remote code execution vulnerabilities.

Magento Commerce 1.14.3.7 Release Notes:

This patch (SUPEE-10415) provides resolution of multiple critical security issues. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Fixed issues

  • Magento no longer displays the “invalid secret key".
  • The one-page checkout page now displays the following message when a customer checks out an order for which no amount is due: No payment information required.
  • Magento has fixed a typo in the patch header information. (autocomplete="new-pawwsord” is now autocomplete="new-password”.)

Notes

  • Magento no longer supports custom file extensions for Mage::log(). Supported file extensions include .log, .txt, .html, .csv.
  • Passwords for new users are now limited to 256 characters.

Magento Open Source 1.9.3.7 Release Notes:

This patch (SUPEE-10415) provides resolution of multiple critical security issues. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Fixed issues

  • Magento no longer displays the “invalid secret key".
  • The one-page checkout page now displays the following message when a customer checks out an order for which no amount is due: No payment information required.
  • Magento has fixed a typo in the patch header information. (autocomplete="new-pawwsord” is now autocomplete="new-password”.)

Notes

  • Magento no longer supports custom file extensions for Mage::log(). Supported file extensions include .log, .txt, .html, .csv.
  • Passwords for new users are now limited to 256 characters.

We strongly recommend that all merchants upgrade to these versions as soon as possible. 

Contact Us to upgrade your store version or security patches.