文章彙整

Magento SUPEE-10752安全性修補通知

By Steffi 5 months agoNo Comments
首頁  /  Magento  /  Magento消息  /  Magento SUPEE-10752安全性修補通知

SUPEE-10752, Magento 商業版 1.14.3.9和社群版 1.9.3.9 包含多個安全增強功能, 可以幫助關閉經過身分驗證的管理員用戶遠端執行代碼(RCE),跨站請求偽造(CSRF)和其他漏洞。

有關1.14.3.91.9.3.9版本中所有更改的信息,請參閱Magento商業版和Magento社群版發行說明。

請注意:安裝修補程序SUPEE-10752時,發生衝突最常見的原因是因為安裝了上一個修補程序(SUPEE-10570v1)。因此,在安裝SUPEE-10752之前,請確保已移除SUPEE-10570v1並安裝SUPEE-10570v2。

修補程序和升級可用於以下Magento版本:
Magento商業版 1.9.0.0-1.14.3.9: SUPEE-10752或升級為Magento商業版 1.14.3.9.
Magento社群版 1.5.0.0-1.9.3.9: SUPEE-10752或升級為Magento社群版 1.9.3.9.

請從以下選項中,選擇適合的下載修補程序或版本:

Magento夥伴:

Magento Commerce 1.14.3.9 Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Version 1.x Releases > Version 1.14.3.9
SUPEE-10752 Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – June 2018

Magento商業版:

Magento Commerce 1.14.3.9 My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Version

1.x Releases > Version 1.14.3.9

SUPEE-10752 My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – June 2018

Magento社群版:

Magento Open Source 1.9.3.9 Magento Open Source Download Page > Release Archive Tab
SUPEE-10752 Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches – 1.x Section

本次更新項目有:

  1. APPSEC-2001: Authenticated Remote Code Execution (RCE) using custom layout XML
  2. APPSEC-2015: Authenticated Remote Code Execution (RCE) through the Create New Order feature (Commerce only)
  3. APPSEC-2042: PHP Object Injection and RCE in the Magento admin panel (Commerce Target Rule module)
  4. APPSEC-2029: PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce)
  5. APPSEC-2007: Authenticated SQL Injection when saving a category
  6. APPSEC-2027: CSRF is possible against Web sites, Stores, and Store Views
  7. APPSEC-1882: The cron.php file can leak database credentials
  8. APPSEC-2006: Stored cross-site scripting (XSS) through the Enterprise Logging extension
  9. APPSEC-2005: Persistent Cross-Site Scripting (XSS) injection in Configuration table
  10. APPSEC-1880: Cross-Site Scripting (XSS) through the Admin Username in the CMS Revision Editor (Commerce only)
  11. APPSEC-2004: Cross-Site Scripting (XSS) through Remote File Inclusion
  12. APPSEC-1988: Path traversal vulnerability in templates
  13. APPSEC-1987: Reflective cross-site scripting (XSS) through filter manipulation
  14. APPSEC-2034: XSS in Admin Create Order Configure Product Via Compatible File Extensions
  15. APPSEC-1876: Cross-site scripting (XSS) in Admin Bundle Product Bundle Items Tab through Product SKU
  16. APPSEC-1874: Cross-Site Scripting (XSS) in the Admin Gift Registry Type Edit via Attribute Group
  17. APPSEC-1872: Cross-Site Scripting (XSS) in the Admin Manage Catalog Events list through category name
  18. APPSEC-1928: Stored XSS in Downloadable Product Links title – frontend
  19. APPSEC-1871: Cross-Site Scripting (XSS) in the Admin Manage Customer Rewards points history using the Reason field
  20. APPSEC-1870: Cross-Site Scripting (XSS) in Admin Manage Invitations list through Invitee email address
  21. APPSEC-1972/APPSEC-2103: Admin password change does not force the logout of the Admin user
  22. APPSEC-1934: Systemic Cross-Site Request Forgery (CSRF) on the Checkout page
  23. APPSEC-1917: Password theft though uploaded video and Auth Prompt password theft vulnerability
  24. APPSEC-1993: IP spoofing

如欲瞭解更多訊息,請參考Magento官方說明
想看更多Magento 2 教學導覽,別忘了訂閱我們的電子報,以及追蹤我們的Facebook粉絲專頁唷!

更多Magento相關文章請看: Magento教學導覽

 

以上內容由Astralweb 歐斯瑞編寫製作

 000

推薦文章

Category:
  Magento消息

留下回應

你的電子郵件地址不會被公開.

取得獨家電子商務祕技

建立更好的策略靈感

跟上全球的網路趨勢

絕佳的電商解決方案

電子商務戰略全指南

每月發送電商戰略指南,只要填寫E-mail即可訂閱!

請到您的信箱確認,即可完成訂閱。