Magento has published a software update that covers security issues.
Magento CE 22.214.171.124 Release Notes (devdocs.magento.com)
Magento Community Edition 1.9.3 delivers more than 120 quality improvements, as well as support for PHP 5.6 in addition to PHP 5.4 and 5.5.
General security enhancements
- Resolved a potential SQL injection (Zend Framework issue)
- Resolved a cache poisoning issue
- We now provide better protection against path exploits.
- Resolved a potential cross-site scripting (XSS) vulnerability when adding a category.
- Resolved a potential XSS vulnerability that affected the Magento server's request URI.
- Resolved a potential XSS vulnerability in invitations.
- You can no longer cause out-of-memory errors on the Magento server by flooding it with images that have incorrect dimensions.
- The Magento Admin Panel login page now renders in HTTPS if you configured the Magento server for HTTPS.
- We added the nosniff header to our .htaccess files.
- Magento no longer uses Adobe Flash for uploads.
- Fixed several potential issues indicated by static code scans.
- Resolved a potential man-in-the-middle vulnerability.
- Resolved a potential PHP security vulnerability.
- An administrative user is no longer able to create a potential security vulnerability that used the block cache.
- Resolved a potential cross-site request forgery (CSRF) vulnerability involving the wishlist.
- Resolved a potential remote code excecution exploit.
- It is no longer possible to log in to a store as an existing customer using only an e-mail address.
A user can reset a password only after receiving an e-mail. In addition, we introduced the following configuration settings:
- Limit the number of forgotten password requests from one IP address to five times per hour.
- Limit the number of forgotten password requests from one e-mail address to five times per 24 hours.
- Limit the number of forgotten password requests to no more than once ever 10 minutes per e-mail address.
- The forgot password link expires after the first use or two hours (by default).
- When a user changes their e-mail address, they are required to provide their password and to acknowledge the change from the previous address.
- We now ignore leading and trailing spaces in a user's password.
- The new customer e-mail now includes the customer's password.
- Resetting a password using a password recovery e-mail succeeds.
SUPEE-8788, Enterprise Edition 1.14.3 and Community Edition 1.9.3 address Zend framework and payment vulnerabilities, ensure sessions are invalidated after a user logs out, and make several other security enhancements that are detailed below.
Information on additional functional enhancements available the new 1.14.3 and 1.9.3 releases is available in the Enterprise Edition and Community Edition release notes.
The previous release was on February 28, 2016.
Our Website Maintenance Department will be in contact with our clients regarding this upgrade.