Magento Security Patch 10415 Reminder

SUPEE-10415, Magento Commerce 1.14.3.7 and Open Source 1.9.3.7 contain multiple security enhancements that help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities. These releases also include a fix for prior customers that had experienced issues patching caused by SOAP v1 interactions in WSDL.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum down below.  Visit the official Magento site for more details:

https://magento.com/security/patches/supee-10415

11 Updates:

APPSEC-1330: Unsanitized input leading to denial of service
APPSEC-1885: Stored XSS in Product Descriptions
APPSEC-1892: Stored XSS in Visual Merchandiser
APPSEC-1894: Remote Code Execution by leveraging unsafe unserialization
APPSEC-1897: Fix WSDL based patching to work with SOAP V1
APPSEC-1913: Remote Code Execution through Config Manipulation
APPSEC-1914: Stored XSS in CMS Page Area
APPSEC-1915: Remote Code Execution in CMS Page Area
APPSEC-1325: Stored XSS in Billing Agreements
APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution
APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution

Tom P November 29, 2017