SUPEE-8788, Enterprise Edition 1.14.3 and Community
Edition 1.9.3 address Zend framework and payment
vulnerabilities, ensure sessions are invalidated after a
user logs out, and make several other security
enhancements that are detailed below.

Information on additional functional enhancements
available the new 1.14.3 and 1.9.3 releases is available

Patches and upgrades are available for the following
Magento versions:

  • Enterprise Edition
    SUPEE-8788 or upgrade to Enterprise Edition 1.14.3
  • Community Edition
    SUPEE-8788 or upgrade to Community Edition 1.9.3

To download a patch or release, choose from the following


Enterprise Edition 1.14.3 PARTNER PORTAL > Magento
Enterprise Edition > Magento Enterprise Edition
1.X > Magento Enterprise Edition 1.x >
Version 1.x Releases > Version 1.14.3
Enterprise Edition > Magento Enterprise Edition
1.X > Magento Enterprise Edition 1.x >
Support and Security Patches > Security Patches
> Security Patches – October 2016

Enterprise Edition Merchants:

Enterprise Edition 1.14.3 MY ACCOUNT > Downloads Tab
> Magento Enterprise Edition 1.X > Magento
Enterprise Edition 1.x > Version
1.x Releases > Version 1.14.3
SUPEE-8788 MY ACCOUNT > Downloads Tab
> Magento Enterprise Edition 1.X > Magento
Enterprise Edition 1.x > Support and Security
Patches > Security Patches > Security Patches
– October 2016

Community Edition Merchants:


Magento CE Release Notes

See the following sections for information about this release:


Magento Community Edition 1.9.3 delivers more than 120 quality
improvements, as well as support for PHP 5.6 in addition to PHP
5.4 and 5.5.

Security Enhancements

We addressed the following security issues in this release:

General security enhancements

For more information about these security enhancements,
our Security Center article.

Patches for major security issues in earlier versions of the
Magento software are available on the Magento download page (look for



  • Resolved a potential cross-site scripting (XSS) vulnerability when
    adding a category.
  • Resolved a potential XSS vulnerability that affected the
    Magento server’s request URI.
  • Resolved a potential XSS vulnerability in invitations.
  • You can no longer cause out-of-memory errors on the
    Magento server by flooding it with images that have incorrect
  • The Magento Admin Panel login page now renders in HTTPS
    if you configured the Magento server for HTTPS.
  • We added the nosniff header to our
    .htaccess files.
  • Magento no longer uses Adobe Flash for uploads.
  • Fixed several potential issues indicated by static code
  • Resolved a potential man-in-the-middle vulnerability.
  • Resolved a potential PHP security vulnerability.
  • An administrative user is no longer able to create a
    potential security vulnerability that used the block cache.
  • Resolved a potential cross-site request forgery (CSRF)
    vulnerability involving the wishlist.
  • Resolved a potential remote code excecution exploit.
  • It is no longer possible to log in to a store as an
    existing customer using only an e-mail address.

Password enhancements

  • A user can reset a password only after receiving an
    e-mail. In addition, we introduced the following
    configuration settings:

    • Limit the number of forgotten password requests from
      one IP address to five times per hour.
    • Limit the number of forgotten password requests from
      one e-mail address to five times per 24 hours.
    • Limit the number of forgotten password requests to no
      more than once ever 10 minutes per e-mail address.
  • The forgot password link expires after the first use or
    two hours (by default).
  • When a user changes their e-mail address, they are
    required to provide their password and to acknowledge the
    change from the previous address.
  • We now ignore leading and trailing spaces in a user’s
  • The new customer e-mail now includes the customer’s
  • Resetting a password using a password recovery e-mail

Backward-Incompatible Changes

The following backward-incompatible changes were made in this

Parent class was removed.

Mage_Uploader_Model_Config_Abstract: Overrides the
magic method __call and its behavior can be
inconsistent. For example:

->setData('underscore_key', 1)
->getUnderscoreKey() //null


The following sections discuss other fixes in this release:

Tax Calculation Fixes

  • The subtotal including tax on an invoice is calculated

Shopping cart and checkout fixes

  • One product displays one time in a cart even if the product
    was added once as a guest and another time as a logged-in user.
  • Bundled products now display properly in the mini cart as
    well as the shopping cart.
  • Moving a configurable product to a shopping cart in the
    Admin Panel functions normally.
  • Shipping discount coupons are now based correctly on a
    customer’s shipping address.
  • First Class Mail letter now displays as a shipping option
    in the shopping cart.
  • You can now pay for a product using both store credit and
    reward points.
  • An exception no longer displays when a customer uses a gift
    card in an invalid transaction (such as an incorrect payment
    card number).
  • We added validation so a special price must be less than
    the actual price.
  • Exceptions no longer display when a customer checks out.
  • Fixed a programming issue that prevented serializing and
    unserializing values in the shopping cart.
  • Magento recovers from payment processor unavailability
    properly; the customer is charged and the item is shipped.
  • You can no longer order an empty product; that is, a
    product with no options.

Catalog fixes

  • A configurable product with decimal quantity less 1 now
    displays the proper quantity in the catalog.
  • Configurable products are now sorted by attribute, not by
    product ID.
  • Errors no longer display when you use
    Mage_Catalog_Block_Product_List on a product
    detail page.
  • Removed the undefined variable where from

Price rule fixes

  • A catalog price rule that targets a bundled product by
    percentage calculates the price properly.
  • A shopping cart price rule that includes tax now calculates
  • With the flat product catalog enabled, a catalog price rule
    with multi-select attributes works properly.
  • Errors no longer display when two users add a product at
    the same time. Magento thanks Babenko eCommerce for
    contributing this fix.
  • You can now add configurable products to the shopping cart
    after configuring a shopping cart rule.

Configurable swatches fixes

  • Fixed a memory leak in the configurable swatches module.
  • Configurable swatches for out-of-stock products now display
    consistently in layered navigation, the category view page, and
    the product view page.
  • Configurable swatches work properly even if there is no
    image (before the fix, a JavaScript error was thrown).
  • Resolved performance issues.
  • Swatch images for configurable products display properly.

Import/export fixes

  • We bundled the following fixes in a patch:
    • Exporting a large number of products no longer results
      in an out-of-memory error.
    • You can import into multiple stores if some stores are
      set to be replaced.
    • Re-importing customers that have a multi-select
      attribute preserves the attribute.
    • File uploads are processed properly.
    • Fixed broken help links in the Magento Admin Panel.
  • Importing products no longer consumes an excessive amount
    of memory.
  • Coupon reports exported as .csv now display
    the correct totals.

Indexer fixes

  • With flat category tables enabled, reindexing no longer
    removes the category class tag.
  • Resolved errors with the Product Flat Index not completely
    indexing a large number of changes.
  • All indexes now reindex when set to update when scheduled.
  • Improved performance of the category indexers. Magento
    thanks Vaimo for contributing this fix.
  • Categories saved with a / character as the
    suffix display properly.

Other fixes

  • Applied United States Postal Service API changes for
    January 17, 2016.
  • Default variable values now save normally.
  • The WYSIWYG editor handles XHTML tags like
    cellpadding and cellspacing properly.
  • The configuration setting Allow HTML Tags on
    is honored.
  • Orders created using the Magento Admin now display on the
    Orders and Returns page on the storefront.
  • The option to merge Cascading Stylesheets (CSS) and
    JavaScript now works properly with a responsive web design
    (RWD) theme.
  • On a mobile device when the Magento storefront uses an RWD
    theme, the Filter bar displays one time only.
  • The Magento Connect Manager downloader’s
    .htaccess file is no longer overwritten when the
    downloader component is updated.
  • The configuration cache is no longer corrupted under heavy
  • Order update e-mails are sent only once.
  • A SOAP API call to /api/soap/?wsdl returns
  • A value that contains special characters is handled without
    errors by the SOAP API.
  • Fixed the untranslatable
  • Magento now stores two-digit birth years properly (for
    example, 80 is stored as 1980).
  • HTTP 200 (OK) status codes are returned for pages after a
    session expires.
  • You can view a disabled product without errors if
    compilation is enabled.
  • A Value Added Tax (VAT) ID now validates properly. If the
    customer specifies an invalid ID, the customer is notified they
    will be charged VAT tax.
  • Listing shipments no longer displays an exception.
  • You can filter associated products for a group product
    without errors.
  • When you manage product attributes, selecting an action
    from Actions works properly.
  • You can now add a configurable product by SKU to an order
    using the Admin Panel.
  • You can now save a product’s weight attribute.
  • You can now save changes to a CMS page hierarchy when
    hierarchy metadata is disabled.
  • You can now save a banner after upgrading.
  • Using a Portable Network Graphics (.png) image
    on a CMS page no longer results in a
    HEADERS_ALREADY_SENT message to be logged.
  • Fixed an exception related to an unknown database table.
  • Fixed an issue with JavaScript merging.
  • You can now print 10 or more shipping labels without
  • A PHP notice no longer occurs when you log the Magento
    Admin Panel IP address in the event log.
  • A SQL error no longer displays when you create a new
    floating point product attribute programmatically.
  • Added a missing image to the codebase.
  • The expression
    returning a collection with column plain_value
    andhtml_value now returns a collection with
    columns plain_value and html_value.
  • Payment no longer results in the exception ERR (3):
    Notice: Undefined offset: 1 in
    app/code/core/Mage/Sales/Model/Order.php on line 1258
  • The correct telephone number displays in transactional
    e-mails. We changed the variable phone to
    store_phone. Magento thanks Classy Llama Studios
    for contributing this fix.
  • The Google sitemap now lists store URLs properly.
  • Implemented search query caching, which speeds up search
  • After a customer submits an order, the following error
    should not display: SQLSTATE[23000]: Integrity constraint
    violation: 1062 Duplicate entry 'ECO0000148' for key
  • With flat category enabled, you no longer see errors due to
    an undefined method call.
  • Case-sensitive variations of URL rewrites work as expected.
  • Resolved a JavaScript syntax error in
  • The cron-related error Warning: shell_exec() has been
    disabled for security reasons...
    has been resolved.
    Magento thanks Stefan Hagspiel for reporting this issue.
  • cron no longer runs multiple times unnecessarily.
  • Cached static blocks now display properly.