GHSA-prpf-cj87-hwvr: 
PHP vulnerability analysis and mitigation

Magento released patch SUPEE-10752 on June 29, 2018, addressing multiple critical security vulnerabilities affecting Magento Commerce 1.14.3.9 and Open Source 1.9.3.9. The patch addresses various security issues including authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF), and multiple cross-site scripting (XSS) vulnerabilities. This security update affects versions prior to 1.9.3.9 of Magento Community Edition (GitHub Advisory).

The vulnerability encompasses multiple security issues, including authenticated Remote Code Execution (RCE) through custom layout XML and Create New Order feature, PHP Object Injection vulnerabilities in the admin panel, authenticated SQL Injection in category saving functionality, and multiple cross-site scripting (XSS) vulnerabilities across different modules. The issues also include path traversal vulnerability in templates and potential database credential leakage through cron.php (GitHub Advisory).

The vulnerabilities could allow attackers to execute remote code, perform SQL injection attacks, conduct cross-site request forgery attacks, and exploit multiple cross-site scripting vulnerabilities. Additionally, the vulnerabilities could lead to database credential exposure and PHP object injection attacks in the admin panel (GitHub Advisory).

Users are advised to apply patch SUPEE-10752 or upgrade to the patched versions. For Magento Commerce users running versions 1.9.0.0-1.14.3.9, upgrading to Magento Commerce 1.14.3.9 is recommended. Magento Open Source users running versions 1.5.0.0-1.9.3.9 should upgrade to Magento Open Source 1.9.3.9 (GitHub Advisory).