Magento Security Issue

Upgrade Your Site Now
 
Critical security and functional enhancements for Magento 1.x and Magento 2.x are now available.
ENTERPRISE EDITION 1.14.3, COMMUNITY EDITION 1.9.3, AND SUPEE-8788
Enterprise Edition 1.14.3 and Community Edition 1.9.3 deliver over 120 quality improvements, as well as support for PHP 5.6. They also resolve critical security issues, including:

  • Remote code execution vulnerabilities with certain payment methods
  • Possibility of SQL injections due to Zend Framework library vulnerabilities
  • Cross-site scripting (XSS) risks with the Enterprise Edition private sale invitation feature
  • Improper session invalidation when an Admin user logs out
  • The ability for unauthorized users to back up Magento files or databases

The SUPEE-8788 patch addresses these security issues in earlier Magento versions. Unfortunately, we have discovered that the SUPEE-8788 patches for Community Edition 1.8 and earlier releases and Enterprise Edition 1.13 and earlier releases fail if a store has previously applied SUPEE-1533 or SUPEE-3941 security patches. We are working to correct this issue and will provide new patches in the next one to three days. Until then, we are removing these versions of the SUPEE-8788 patch from distribution.
Functional update details and installation instructions are available in the Enterprise Edition and Community Edition  release notes; a full list of security updates is published in the Magento Security Center.
ENTERPRISE EDITION AND COMMUNITY EDITION 2.0.10 AND 2.1.2
Updates to Magento 2 software address the same critical security issues described above. Additionally, the releases make several functional improvements and API enhancements. New API methods allow 3rd party solutions, such as shipping or ERP applications, to use APIs to transition an order state when they create an invoice or shipment. Magento 2.1.2 now also includes PHP 7.0.4 support and Magento 2.0.10 and 2.1.2 are compatible with MySQL 5.7. A summary of improvements is available in the release notes; all security updates are listed in the Security Center.
You are advised to deploy these new releases right away. Updates should be installed and tested in a development environment before being put into production. Also, please use this occasion to do a security assessment in accordance with our Security Best Practices.
Thank you for your continued cooperation and support.
Best regards,
The Magento Team