On September 14, 2017, Magento released the latest security patch SUPEE-10266 for Magento Community Edition (Magento Open Source) versions prior to 1.9.3.6 and Magento Enterprise Edition (Magento Commerce) versions prior to 1.14.3.6. The patch (SUPEE-10266) provides fixes for several functional and multiple critical security issues:

• RSS session admin cookie can be used to gain Magento administrator privileges.
• Remote Code Execution vulnerability in CMS and layouts
• Exposure of Magento secret key from app/etc/local.xml
• Directory traversal in template configuration
• CSRF + Stored Cross Site Scripting (customer group)
• Admin Notification Stored XSS
• Potential file uploads solely protected by .htaccess
• CSRF + Stored Cross Site Scripting in newsletter template
• XSS in admin order view using order status label in Magento
• Customer Segment Delete Action uses GET instead of POST request
• Order Item Custom Option Disclosure
• Admin login does not handle autocomplete feature correctly
• Secure cookie check to prevent MITM not expiring user sessions

How to install New Magento Security Patch SUPEE-10266:

• Go to the Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches – 1.x Section
• Find SUPEE-10266
• Follow the instructions

Be sure to implement and test the patch in the development environment first to confirm that it works as expected before deploying it to the production site.

Subscribe to WatchDogs Magento Security Monitoring and receive notifications about Magento security patches that you miss on your web store and detect malware attacks for FREE.