Magento 1 EOL Patches
Patches to fix discovered vulnerabilites in Magento 1 are made available to customers who have a Magento 1 EOL Support plan. A list of these patches is maintained here, including patch date, description, and a link to download the patch. For more information on Magento 1 EOL Support, please read the FAQs.
Note:M1 Commerce patches will be available within 60 days from date mentioned below.
|Aug 07 2020||12||Improves PCI-DSS compliance by forcing login form to disable autocompletion.||Download||Download|
|Aug 07 2020||13||
(HIGH)Re-release of Adobe’s SUPEE-11346 (originally released on 06/22/2020) for Magento 22.214.171.124.
|Aug 07 2020||14||Prevents parallel logins for the same user account (session attack for backend and frontend).||Download||Download|
|Aug 19 2020||15||Adds new configuration option to enable “secure” marker for all cookies.||Download||Download|
|Aug 28 2020||16||Adds compatibility for PHP 7.3.||Download||Download|
|Aug 28 2020||17||Improves clearing of session data with parallel logins.||Download||Download|
|Oct 01 2020||18||
(CRITICAL)This patch is based on a backport for CVE-2020-9690 of Magento 2.
|Oct 01 2020||19||
(CRITICAL)Prevents admin users from using soap access w/product attributes and a product to upload and execute executable files to the server.
|Oct 01 2020||20||Prevents admin users with access to
|Oct 29 2020||21||Improves compatibility of 3rd party integrations by flagging cookies as
|Oct 29 2020||22||
(HIGH)Prevents access to the
|Oct 29 2020||23||Replaces the news feed URL in Magento so you receive patch notifications in your admin panel.||Download||Download|
|Oct 29 2020||24||Avoids incorrect form keys creating an error log entry. This is an improvement for patch ID 18.||Download||Download|
|Oct 29 2020||25||
(CRITICAL)Fixes an issue whereby an administrator with permission to update product data was able to store an executable file on the server and load it via layout xml.
|Dec 09 2020||26||Improves cookie handling.||Download||Download|
|Dec 09 2020||27||
(HIGH)Prevents admin users with permission to import/export data and to create widget instances from loading an executable file via layout xml.
|Dec 09 2020||28||
(HIGH)Prevents admin users with permission to create products from injecting an executable file on the server via wishlist functionality.
|Dec 09 2020||29||
(HIGH)Prevents admin users with permission to import/export data and to edit cms pages from injecting an executable file on the server via layout xml.
|Dec 09 2020||30||Improves patch 20.||Download||Download|
|Dec 09 2020||31||Improves patch 21.||Download||Download|
|Dec 09 2020||32||Fixes an issue with patch 23.||Download||Download|
|Jan 21 2021||33||Fixes an issue with patch 31: Cookie secure flag wasn’t
|Jan 21 2021||34||Adds
|Apr 05 2021||35||Fixes a core bug when using prepare data for redirecting. Note: This patch is also required for patch 39 to operate properly.||Download||Download|
|Apr 05 2021||36||
(HIGH)Fixes a bug in Zend Framework’s Stream HTTP Wrapper - CVE-2021-3007
|Apr 05 2021||37||Support for PHP 7.4 and PHP 8. In order to switch to PHP 7.4 or PHP 8 you also have to make sure any custom code and third party extension is compatible with these PHP versions!
Known Issue: Applying this patch might fail because there are versions of Magento in circulation that use
Option 1: If you encounter errors when applying the patch, you can use the command line utility dos2unix to correct the line breaks. You can use the following command:
Option 2: If you cannot install or use dos2unix, you can also use sed on the command line to correct the line breaks:
|Apr 05 2021||38||Changes the content-type in json responses from text/html tot application/json to prevent XSS attacks||Download||Download|
|Apr 05 2021||39||The wishlist sharing function has been subject to intensive SPAM abuse. We added a switch to the Magento configuration to disable the sharing functionality. Please note that MO-35 is required for this patch to work properly. Please make sure to configure the setting according to your needs: The behavior of the Wishlist Sharing functionality can be controlled via a new config option in System > Config > Wishlist > Share Options > Enable Sharing||Download||Download|
|Apr 05 2021||40||We fixed a vulnerability in the MySQL adapter to prevent SQL injection attacks. CVE-2021-21024||Download||Download|
|May 28 2021||41||Updates Zend_Http_Response to support HTTP/2||Download||Download|
|May 28 2021||42||
(HIGH)This patch adds improved security to unserialize() calls to avoid unexpected object creation. Attention: This patch changes almost every unserialize() call throughout the core code to prevent unwanted object creation. It touches many code aspects we’re unable to cover with tests. It might also affect functionality you intentionally wanted to create objects via unserialize(). It’s therefore crucial to test all your integrations and customizations before you apply it in your live environments!
|May 28 2021||43||
(HIGH)We fixed a vulnerability that allowed users with admin access to inject code (RCE) using session manipulation.
|May 28 2021||44||
(HIGH)Due to missing sanitation in data flow it was possible for admin users to upload arbitrary executable files to the server.
|May 28 2021||45||
(HIGH)Layout XML enabled admin users to execute arbitrary commands via block methods.
|May 28 2021||46||
(HIGH)We fixed a vulnerability in Magento’s package manager which lead to a RCE via race conditions.
|May 28 2021||47||Zend_Validator wasn’t able to validate emails with uptodate TLDs. The list of TLDs has been updated.||Download||Download|
|May 28 2021||48||Adds array_key_first() and array_key_last() with a polyfill.||Download||Download|
|May 28 2021||49||This fixes a bug introduced with MO-47. Magento uses a copy of Zend’s original file with modified paths. While updating the file’s content, these modified paths have been replaced with their originals. So Magento wasn’t able to find the correct files anymore.||Download||Download|
|Aug 9 2021||50||Improves PHP5.6 compatibility for unserialization. Please Note: We do not recommend to use anything older than PHP7.3. There’s no support available for older PHP Versions!||Download||Download|
|Aug 9 2021||51||Updates phpseclib to version 2.0.32 to fix CVE-2021-30130.||Download||Download|
|Aug 9 2021||52||Fixes a persisted XSS vulnerability.||Download||Download|
|Aug 9 2021||53||
(CRITICAL)Restores missing .htaccess files from core automatically. In some Magento installations merchants or developers or agencies accidentally removed .htaccess files from regular core directories and thus exposed security vulnerabilities. To regain protection for these directories we automatically check for deleted .htaccess files and reinstate them in the following locations:
|Aug 9 2021||54||Improving PHP8 compatibility.||Download||Download|
|Aug 9 2021||55||Prevent DoS attack via passwords larger than 4k.||Download||Download|
|Aug 9 2021||56||
(HIGH)An administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml.
|Aug 9 2021||57||
(HIGH)Arbitrary command execution in Custom Layout Update via block method.
|Aug 9 2021||58||
(HIGH)Arbitrary file delete in customer media allows remote code execution.
|Aug 9 2021||59||This patch adds brute force attack prevention to customer login via Frontend and API as well as admin panel login. If enabled this feature prevents brute force login attacks by disabling the login feature once the failed login attempts limit is reached. With every failed login attempt the login retry time increases. This time is respecting the max_execution_time setting. The failed login attempts counter will be reset if a successful login is detected before it reaches the login attempt limit.
Customer Login: To enable this feature, go to
Admin Login: To enable this feature, go to
API: To enable this feature, go to
|Sep 8 2021||60||Some of our customers are using netz98’s magerun tool to maintain their stores. With this patch we add additional compatibility for our last patch #59 features with magerun by adding a reload() Method to the Mage_Customer_Model_Customer.||Download||Download|
|Sep 8 2021||61||
(HIGH)An administrator with privileges to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. The fix applies to the Zend_Db::factory().
WarningPlease make a database backup before installing patches live. For best results, use a file versioning tool such as Git to apply the patch.
We recommend testing patches in a staging environment first. After testing, the patches can then be installed live using versioning software such as Git. This way the patch can be applied locally (or in the staging environment), then committed and pushed normally. The steps, provided by our partner, are as follows:
- Upload the local file into the
<Magento_root>on the server using SFTP, SSH or your normal transport method.
- Verify the file is in the correct directory.
- In the command line interface, run the following command according to the patch extension:
- M1 Open Source:
$ patch -p1 --ignore-whitespace < /path/to/file
- M1 Commerce:
$ patch -p0 --ignore-whitespace < /path/to/file
- M1 Open Source:
- For visible changes in the user interface to be reflected, refresh the cache in the Admin under
System > Cache Management.
NoteIn some cases it will also be necessary to renew the indices.
Patches can also be undone, or reversed, with the
-R option (or use your version control to remove the changes):
- M1 Open Source:
$ patch -R -p1 < /path/to/file
- M1 Commerce:
$ patch -R -p0 < /path/to/file
- Magento 1 EOL Support
- How to Contact Support
- Web Controls
- How to Block Countries from Accessing Your Site
- How to Edit the Whitelist
- How to Edit the Blacklist
Have questions not answered here? Please Contact Support to get more help.
Was this page helpful?
Glad to hear it! Have any more feedback? Please share it here.
Sorry to hear that. Have any more feedback? Please share it here.