SUPEE-10266 security enhancements patch was released on september 14th of 2017. SUPEE-10266 patch can be downloaded from Downloads page here: Magento Open Source Patches - 1.x

You can install it in the same way as previous patches or by upgrading to version 1.9.3.6.

SUPEE-10266 can cause issues in the checkout process. It will shield your eCommerce store from either of safety related problems, disturb remote code execution and prevent information leak and newsletter templates cross site scripting.

Here are your Magento Open Source upgrade options:

  • Upgrade to version 1.9.3.4. SUPEE-9767 version 2 is already included in the Open Source 1.9.3.4 release.
  • Revert SUPEE-9767 version 1, then install SUPEE-9767 version 2
  • Install SUPEE-9767 version 2

Installation

Be sure to install and aprobate the patch in a dev site first to verify that it works as expected before introducing it to a production site. Don't forget to test that your store is working and also test the checkout process.

  1. Disable Compiler at System > Configuration > Tools > Magento Compiler and clear compiled cache

  2. Download SUPEE-10266 patch from https://magento.com/tech-resources/download#download2073
  3. Place patch files into Root directory
  4. Run the patch
  5. Flush the cache and CSS/JS caches at System > Cache Management

SUPEE-10266 Open Source version 1.9.3.6 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include fixes for issues with image reloading and payments using one-step checkout.

If you tried to update with Downloader to latest 1.9.3.6 and It doesn't work. SUPEE-10266 contains all changes from 1.9.3.6 and installing SUPEE-10266 on top of 1.9.3.4 or upgrade of 1.9.3.4 to 1.9.3.6 will lead to the same results.

Magento CE version 1.8

The patch can give error message like "Not valid template file" on Magento CE version 1.8.

If your site has not been patched with latest security patches before SUPEE-10266 then it's possible the issue you are encountering is because of that. SUPEE 8788 patch makes changes to which template is pulled make sure you have that applied and then test your upload again.

skin/adminhtml/default/default/media/uploaderSingle.swf
skin/adminhtml/default/default/media/uploader.swf
skin/adminhtml/default/default/media/flex.swf