New releases contain multiple security fixes that close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities. Added Nov 28, 2017.

New version Magento Open Source 1.9.3.7 and new version Magento Commerce 1.14.3.7 also include a fix for a prior customers that had experienced issues patching caused by SOAP v1 interactions in WSDL.

Fixed issues:

  • Unsanitized input leading to denial of service.
  • Stored XSS in Product Descriptions.
  • Stored XSS in Visual Merchandiser.
  • Remote Code Execution by leveraging unsafe unserialization.
  • Fix WSDL based patching to work with SOAP V1.
  • Remote Code Execution through Config Manipulation.
  • Stored XSS in CMS Page Area.
  • Remote Code Execution in CMS Page Area.
  • Stored XSS in Billing Agreements.
  • PHP Object Injection in product attributes leading to Remote Code Execution.
  • PHP Object Injection in product entries leading to Remote Code Execution.

Magento no longer displays the “Invalid Secret Key. Please refresh the page.” message when a user loads the Admin. The one-page checkout page now displays the following message when a customer checks out an order for which no amount is due: "No payment information required".

There are changed a typo in the patch header information. (autocomplete="new-pawwsord” is now autocomplete="new-password”.)

Confirm that there are no PHP warnings generated by any of the extensions or customizations.

Magento Open Source upgrade

Use Magento Open Source 1.9.3.0 or later for all new Magento Open Source installations and upgrades to get the latest fixes, features, and security updates.

We recommend upgrading your Magento store to the latest version.