Name of the Vulnerable Software and Affected Versions Magento Commerce versions 1.9.0.0 through 1.14.3.9 Magento Open Source versions 1.5.0.0 through 1.9.3.9

Description The issue concerns various security vulnerabilities, including authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF), and more. These vulnerabilities can be exploited through different means, such as custom layout XML, the Create New Order feature, and PHP Object Injection in the Magento admin panel. Additionally, there are issues with SQL Injection, stored cross-site scripting (XSS), and reflective cross-site scripting (XSS) through filter manipulation. The estimated number of potentially affected devices worldwide is not specified.

Recommendations For Magento Commerce versions 1.9.0.0 through 1.14.3.9, apply patch SUPEE-10752 or upgrade to Magento Commerce 1.14.3.9. For Magento Open Source versions 1.5.0.0 through 1.9.3.9, apply patch SUPEE-10752 or upgrade to Magento Open Source 1.9.3.9.