Magento Patch Bundle SUPEE 8788 - Why need to Install?

Talk to Experts Need expert help? Don’t hesitate to talk.

You can do direct email atinfo@mconnectmedia.com

WE'RE HERE FOR YOU

We would love to hear about your Magento project, challenge, or opportunity. We'll respond within 24 hours!

SUPEE-8788 Patch

With the increasing technology, chances for the information getting hacked or leaked is also increasing simultaneously. These security issues also occur with Magento platform too. These issues cause loss of information, spamming, loss of credentials etc. To resolve such issues faced by Magento platform and maintain its performance, several upgrades are released Magento team. This provides a tool to keep your store safe and secure.

The upgrades which are released to solve the security issues are called as the Security patches. Whenever a security patch becomes available, a notification is sent to all the merchants in their admin inbox. You can know about the security vulnerabilities by scanning your Magento shop.

Now let us talk about the Security patch SUPEE-8788. The Magento team has recently released the security patch SUPEE-8788 to address the Zend Framework and Payment vulnerabilities. It includes 17 APPSEC updates to provide protection against security threats like

  • Remote Code Execution in checkout
  • SQL Injection/Improper validation
  • Cross-site Scripting in invitations
  • Information leakage
  • Insufficient data protection
  • Remote Code Execution in admin
  • Full page cache Poisoning
  • Cross-site Scripting in URL processing
  • Cross-site Scripting in Categories Management
  • Denial of Services
  • Cross-site scripting in Flash file uploader
  • Filter avoidance
  • Cross-site Request Forgery in several forms
  • CSRF on removing item from Wishlist or Address Book
  • Insufficient Session Expiration
  • Lack of certificate validation and Timing attack.

This security patch makes sure that once the user is logged out from his account, it makes sure that the sessions have been invalidated. Along with this, all the above-stated security issues has been addressed with the solutions which are long lasting.

To make you understand each of the 17 APPSEC updates, we have included all the relevant information in a table format. Let us go through it together:

No. APPSEC Updates Security Issue Severity Level Description
1 APPSEC-1484 Remote Code Execution in checkout 9.8 (Critical) With some payment methods it could execute malicious PHP coding during checkout process.
2 APPSEC-1480 SQL injection in Zend Framework 9.1 (Critical) In this bug, a malicious user can inject SQL in the Zend Framework into the ordering or grouping parameters.
3 APPSEC-1488 Stored XSS in invitations 8.2 (High) A malicious JavaScript can be added in regards to admin by using the invitation feature of Magento Enterprise Edition.
4 APPSEC-1247 Block cache exploit 7.7 (High) An attacker can get access to any CMS functionality with administrator permissions can ex-filtrate the information stored in cache by using blocks. It can also execute the codes.
5 APPSEC-1517 Log in as another customer 7.5 (High) A malicious user can log in to the account using the email address and not password of an existing store customer.
6 APPSEC-1375c Remote Code Execution in admin 6.5 (Medium) The import/export functionality without any proper checking supplies the un-serialize data from the Magento Admin dashboard.
7 APPSEC-1338 Full Page Cache poisoning 6.5 (Medium) The full page cache feature can be manipulated to store incorrect pages under regular page URL entries. (Magento Enterprise Edition)
8 APPSEC-1436 XSS vulnerability in URL processing 6.1 (Medium)

 

The Magento functions which are related to URL processing uses user-supplied data from request headers, incorrectly.
9 APPSEC-1211 XSS in categories management 6.1 (Medium) To access the catalog, a category can be created with malicious JavaScript coding. And this can be used in other Admin panel parts.
10 APPSEC-1058 GIF flooding 5.3 (Medium) A denial of service attack occurs when a malicious user uploads any modified image which ultimately causes a script timeout.
11 APPSEC-666 Cross-site scripting in Flash file uploader 5.3 (Medium) On the sites which use the file custom option, the reflected cross-site scripting is possible.
12 APPSEC-1282 Filter avoidance 4.9 (Medium) To stop specially crafted exploit strings, the Implementation of filters for XSS in email templates and other Admin features will not enough.
13 APPSEC-327 CSRF in several forms 4.7 (Medium)

 

Due to improper form key validation in several forms, a CSRF attack is possible which allows a malicious user to create a phishing form which executes an action such as update cart or login that when clicked by a user. (older versions of Magento)
14 APPSEC-1189 CSRF on removing the item from Wishlist or Address Book 4.7 (Medium) Create a phishing page that would remove any item from wishlist or customer’s address when a customer visits that page.
15 APPSEC-1478 Session does not expire on logout 4.2 (Medium) There is no Session timeout after the user logouts from its account which could result into access to the customer’s account.
16 APPSEC-1106 Lack of certificate validation enables MitM attacks 3.7 (Low) This could result in disclosure of customer’s information.
17 APPSEC-995 Timing attack on hash checking 3.7 (Low) It can create a timing attack on the password checking functionality.

Some of the issues which are mentioned are very critical as per severity level but they have been fixed with the patches. Once you have installed the patches in your store, it may happen that the Magento platform takes some time to integrate with these issue fixes.

You can go through the guideline to know the installation of a patch for Magento Community Edition here. Read our blog post on Installing Magento Patches in Different Ways

If you want to know more about the security patch SUPEE-8788, latest Magento updates or you need help installing this security patch into your Magento store, then contact and discuss your issue with our Magento® Security Experts and get a long lasting resolution for your store.

Need Magento expert help?

We provide result-driven solutions to expand the competency level and productivity.

Instant Help CenterAvailable!

Monday to FridayResponse promised within 24 hours!

Call Us

+1 319 804-8627

2 comments

  1. Thank you for sharing such an important update. I can see that this security patch can help us resolve many different security issues.

  2. I can see that this SUPEE 8788 provides the solution for multiple security bugs and issues. I would like to see the information about other important Magento Security patch. Thanks for sharing this one!

Load Comments

Your email address will not be published. Required fields are marked *

  • Worried for deadlines? Our Magento Experts are effortlessly Working from Home.
  • Check out our Magento Developer Hiring Packages for Agency as well as individuals.
View Packages

Talk to Experts Need expert help? Don’t hesitate to talk.

You can do direct email atinfo@mconnectmedia.com

WE'RE HERE FOR YOU

We would love to hear about your Magento project, challenge, or opportunity. We'll respond within 24 hours!

Please fill this form, Mr.Yogesh will reply by email asap.


Please fill this form, Mr.Darshit will reply by email asap.


Please fill this form, Mr.Jayesh will reply by email asap.


Please fill this form, Mr.Jiten will reply by email asap.


Do you know Magento 1 support will end in June 2020?
Magento 1 to Magento 2 Migration Service Error
So, Don't take the risk

Make a move & Migrate to Magento 2

  • Magento 1 to Magento 2 Migration Service - Zero Downtime

    Zero Downtime

  • Magento 1 to Magento 2 Migration Service - Timely Delivery

    Timely Delivery

  • Magento 1 to Magento 2 Migration Service - Stores Upgraded

    36+ Stores Upgraded

  • Magento 1 to Magento 2 Migration Service - Zero Data Loss

    Zero Data Loss

  • Magento 1 to Magento 2 Migration Service - Magento Developers

    Certified Magento Developers

  • Magento 1 to Magento 2 Migration Service - After Support

    60 Days After Support

How much it Cost?