E-commerce websites are an attractive target for hackers, due to the rich customer information that is stored, and any security vulnerabilities can be quickly exploited. Magento's Security Program is committed to maintaining the security and performance of its software so constantly monitors risks and releases security patches to address any vulnerabilities found.
We strongly recommend that all security patches be installed ASAP (it is a mandatory requirement to keep Magento up-to-date and/or install the latest security patches in order to host Magento on the Create Hosting platform).
Below is an overview of the Magento 1 security patches released to date:
Sep 14, 2017 - SUPEE-10266
This patch provides resolution of multiple critical security issues and several functional fixes. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. For more information, see https://magento.com/security/patches/supee-10266.
May 31, 2017 - SUPEE-9767
This critial patch contains multiple security updates, affecting Magento Enterprise Edition prior to 1.14.3.3 and Community Edition prior to 1.9.3.3. For more information, see https://magento.com/security/patches/supee-9767.
6 February 2017 - SUPEE-9652
A crtical security patch addressing the Zend library vulnerability, affecting Magento Community Edition prior to 1.9.3.2, and Magento Enterprise Edition prior to 1.14.3.2, Magento 2.1 versions prior to 2.1.4 and Magento 2.0 versions prior to 2.0.12. The Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1. For specific information, see https://magento.com/security/patches/supee-9652.
11 October 2016 - SUPEE-8788
This is a critical security update for CE v1.5.0.1-1.9.2.4 and addresses several types of security-related issues, including remote code execution, information leaks and cross-site scripting. For specific information visit https://magento.com/security/patches/supee-8788.
23 February 2016 - SUPEE-7405 v1.1
This is an update to SUPEE-7405 to add support for PHP 5.3 and address issues with upload file permissions, merging carts, and SOAP APIs experienced with the original release. It DOES NOT address any new security issues. Note: you must install the SUPEE-7405 v1.0 patch before installing the SUPEE-7405 v 1.1 patch bundle.
20 January 2016 - SUPEE-7405 Patch Bundle
A critical bundle of patches for Magento 1.x that resolve several security-related issues. For Magento CE versions prior to 1.9.2.3. For specific information visit https://magento.com/security/patches/supee-7405.
27 October 2015 - SUPEE-6788 Patch Bundle
A critical patch bundle to address a variety of security risks including exposure of configuration and database access credentials. For Magento CE versions prior to 1.9.2.2. For specific information visit https://magento.com/security/patches/supee-6788.
4 August 2015 - SUPEE-6482 Patch Bundle
Released as a preventative measure to address potential threats. For specific information visit https://magento.com/security/patches/supee-6482.
7 July 2015 - SUPEE-6285 Patch Bundle
A bundle of patches to address a number of vulnerabilities including customer information leaking and cross site scripting. For specific information visit https://magento.com/security/patches/supee-6285.
14 May 2015 - SUPEE-5994 Patch Bundle
A bundle of eight patches to address a variety of security risks including hackers obtaining customer details via checkout and publishing malicious content. For specific information visit https://magento.com/security/patches/supee-5994.
9 February 2015 - SUPEE-5344 Patch
Released to address the Shoflift Bug which allows a hacker to access the site's admin panel and thereby take full control of the store. For specific information visit https://magento.com/security/patches/supee-5344-%E2%80%93-shoplift-bug-patch.
For an up-to-date list of Magento patches and the associated technical details visit https://magento.com/security/patches.
