Magento Patch SUPEE-10415

New Magento Patch SUPEE-10415 is out and should, as always, be installed immediately. This patch comes with Magento 1.9.3.7 and addresses many security related enhancements against cross-site request forgery, Denial-of-Service attacks and remote code execution. Currently, there are no known running attacks.

Magento Patch SUPEE-10415

Just in time for the shopping weeks before Christmas, Magento boosts its security with a new security patch. There are currently no known attacks, but there will be. Security problems no are visible to anyone – you should patch your shop as fast as possible.

Patch details

You can see full list of fixed bugs on Magento patch website. Some key points:

• DOS protection
  you can create a DOS by setting a wrong parameter on account creation
• Cross-Site Scripting
  an administrator that can product data may insert scripts on product and short descriptions that run on customers browsers or a cms page with embedded scripts
• Remote Code Execution
  an administrator can inject code to promo fileds
• SOAP API bugfix

Many problems result from an limited rights administrator, who can pus scripts to product data or CMS pages. This may not be a big problem for small shops, but can be, if one admin user is already compromised.

First test

My first test was successful. There were no problems detected while patching. It mainly changes things in API and Adminhtml Core folders, so there should not be mush trouble with themes and frontend topics. This may be different if you use things like API extensively, so please test this patch on your development system first!

If you run into a 404 error in your frontend after installing patch, please read my 404 error patch 10415 post.

Conclusion

As always, hurry up and install this patch SUPEE-10415. There is no excuse if your shop gets attacked. The patch is simple to install and there are currently no problems known with it. If you find some, please let me know, or post it to sites like stackoverflow!