A new security patch (SUPEE-10497) is now available for merchants using Magento Open Source 1.9.1.1.  It has been released with some urgency to deal with new security flaws detected by their team.

Important note: This patch replaces SUPEE-10266 (released September 14, 2017) and SUPEE-10415 (released November 28, 2017).

 

Do I need to patch?

This issue affects users of Magento Open Source 1.9.1.1 only.  Users of Magento Commerce, or any other version of Magento Open Source, are not affected.

SUPEE-10415, Magento Commerce 1.14.3.7 and Open Source 1.9.3.7 contain multiple security enhancements that help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities.  These releases also include a fix for a prior customers that had experienced issues patching caused by SOAP v1 interactions in WSDL.

 

What do I need to do?

Based on information received from Magento themselves, you need to perform the following tasks with some urgency;

 

Most recent patch installed Action required
SUPEE-10266 Remove this patch, and install SUPEE-10497.
SUPEE-10415 Remove this patch and SUPEE-10266, and install SUPEE-10497.
SUPEE-9767 No need to remove this patch. Just install patch bundle
SUPEE-10497.

 

Our recommendations

In order to maintain the security of your online shop, we strongly recommend that all merchants upgrade their patches as soon as is reasonably possible.  If we host your site directly, we may have already upgraded your system however you are always advised to contact us to check.

If you are not currently one of our customers, and would like to talk to us – then please get in touch.  We offer a range of web hosting and design services for the smallest to the largest online retailers…