Magento has released a new security patch for both Enterprise and Community editions on October 11th 2016.
SUPEE-8788 fixes a range of potential security issues that have been identified.
These issues include:
- Remote code execution in checkout
- SQL injection in Zend Framework
- Stored XSS in invitations
- Block cache exploit
- Potential log in as another customer
- Remote code execution in admin
- Cache poisoning
- XSS vulnerability in URL processing
- XSS in category management
- GIF Flooding
- Cross-site scripting in flash uploader
- Filter avoidance
- CSRF in several forms
- CSRF on removing item from wishlist or address book
- Session length does not expire properly on logout
- Timing attack on hash checking
We strongly advise everyone update to the latest security patch version and quickly as possible. Clients with active retainers will have already been contacted regarding securing their site. If you have any questions, feel free to drop us a line.