Magento 1 EOL Patches
Patches to fix discovered vulnerabilites in Magento 1 are made available to customers who have a Magento 1 EOL Support plan. A list of these patches is maintained here, including patch date, description, and a link to download the patch. For more information on Magento 1 EOL Support, please read the FAQs.
Note:M1 Commerce patches will be available within 60 days from date mentioned below.
|Aug 07 2020||12||Improves PCI-DSS compliance by forcing login form to disable autocompletion.||Download||Download|
|Aug 07 2020||13||
(HIGH)Re-release of Adobe’s SUPEE-11346 (originally released on 06/22/2020) for Magento 22.214.171.124.
|Aug 07 2020||14||Prevents parallel logins for the same user account (session attack for backend and frontend).||Download||Download|
|Aug 19 2020||15||Adds new configuration option to enable “secure” marker for all cookies.||Download||Download|
|Aug 28 2020||16||Adds compatibility for PHP 7.3.||Download||Download|
|Aug 28 2020||17||Improves clearing of session data with parallel logins.||Download||Download|
|Oct 01 2020||18||
(CRITICAL)This patch is based on a backport for CVE-2020-9690 of Magento 2.
|Oct 01 2020||19||
(CRITICAL)Prevents admin users from using soap access w/product attributes and a product to upload and execute executable files to the server.
|Oct 01 2020||20||Prevents admin users with access to
|Oct 29 2020||21||Improves compatibility of 3rd party integrations by flagging cookies as
|Oct 29 2020||22||
(HIGH)Prevents access to the
|Oct 29 2020||23||Replaces the news feed URL in Magento so you receive patch notifications in your admin panel.||Download||Download|
|Oct 29 2020||24||Avoids incorrect form keys creating an error log entry. This is an improvement for patch ID 18.||Download||Download|
|Oct 29 2020||25||
(CRITICAL)Fixes an issue whereby an administrator with permission to update product data was able to store an executable file on the server and load it via layout xml.
|Dec 09 2020||26||Improves cookie handling.||Download||Download|
|Dec 09 2020||27||
(HIGH)Prevents admin users with permission to import/export data and to create widget instances from loading an executable file via layout xml.
|Dec 09 2020||28||
(HIGH)Prevents admin users with permission to create products from injecting an executable file on the server via wishlist functionality.
|Dec 09 2020||29||
(HIGH)Prevents admin users with permission to import/export data and to edit cms pages from injecting an executable file on the server via layout xml.
|Dec 09 2020||30||Improves patch 20.||Download||Download|
|Dec 09 2020||31||Improves patch 21.||Download||Download|
|Dec 09 2020||32||Fixes an issue with patch 23.||Download||Download|
|Jan 21 2021||33||Fixes an issue with patch 31: Cookie secure flag wasn’t
|Jan 21 2021||34||Adds
|Apr 05 2021||35||Fixes a core bug when using prepare data for redirecting. Note: This patch is also required for patch 39 to operate properly.||Download||Download|
|Apr 05 2021||36||
(HIGH)Fixes a bug in Zend Framework’s Stream HTTP Wrapper - CVE-2021-3007
|Apr 05 2021||37||Support for PHP 7.4 and PHP 8. In order to switch to PHP 7.4 or PHP 8 you also have to make sure any custom code and third party extension is compatible with these PHP versions!
Known Issue: Applying this patch might fail because there are versions of Magento in circulation that use
Option 1: If you encounter errors when applying the patch, you can use the command line utility dos2unix to correct the line breaks. You can use the following command:
Option 2: If you cannot install or use dos2unix, you can also use sed on the command line to correct the line breaks:
|Apr 05 2021||38||Changes the content-type in json responses from text/html tot application/json to prevent XSS attacks||Download||Download|
|Apr 05 2021||39||The wishlist sharing function has been subject to intensive SPAM abuse. We added a switch to the Magento configuration to disable the sharing functionality. Please note that patch #35 is required for this patch to work properly. Please make sure to configure the setting according to your needs: The behavior of the Wishlist Sharing functionality can be controlled via a new config option in System > Config > Wishlist > Share Options > Enable Sharing||Download||Download|
|Apr 05 2021||40||We fixed a vulnerability in the MySQL adapter to prevent SQL injection attacks. CVE-2021-21024||Download||Download|
|May 28 2021||41||Updates Zend_Http_Response to support HTTP/2||Download||Download|
|May 28 2021||42||
(HIGH)This patch adds improved security to unserialize() calls to avoid unexpected object creation. Attention: This patch changes almost every unserialize() call throughout the core code to prevent unwanted object creation. It touches many code aspects we’re unable to cover with tests. It might also affect functionality you intentionally wanted to create objects via unserialize(). It’s therefore crucial to test all your integrations and customizations before you apply it in your live environments!
|May 28 2021||43||
(HIGH)We fixed a vulnerability that allowed users with admin access to inject code (RCE) using session manipulation.
|May 28 2021||44||
(HIGH)Due to missing sanitation in data flow it was possible for admin users to upload arbitrary executable files to the server.
|May 28 2021||45||
(HIGH)Layout XML enabled admin users to execute arbitrary commands via block methods.
|May 28 2021||46||
(HIGH)We fixed a vulnerability in Magento’s package manager which lead to a RCE via race conditions.
|May 28 2021||47||Zend_Validator wasn’t able to validate emails with uptodate TLDs. The list of TLDs has been updated.||Download||Download|
|May 28 2021||48||Adds array_key_first() and array_key_last() with a polyfill.||Download||Download|
|May 28 2021||49||This fixes a bug introduced with patch #47. Magento uses a copy of Zend’s original file with modified paths. While updating the file’s content, these modified paths have been replaced with their originals. So Magento wasn’t able to find the correct files anymore.||Download||Download|
|Aug 9 2021||50||Improves PHP5.6 compatibility for unserialization. Please Note: We do not recommend to use anything older than PHP7.3. There’s no support available for older PHP Versions!||Download||Download|
|Aug 9 2021||51||Updates phpseclib to version 2.0.32 to fix CVE-2021-30130.||Download||Download|
|Aug 9 2021||52||Fixes a persisted XSS vulnerability.||Download||Download|
|Aug 9 2021||53||
(CRITICAL)Restores missing .htaccess files from core automatically. In some Magento installations merchants or developers or agencies accidentally removed .htaccess files from regular core directories and thus exposed security vulnerabilities. To regain protection for these directories we automatically check for deleted .htaccess files and reinstate them in the following locations:
|Aug 9 2021||54||Improving PHP8 compatibility.||Download||Download|
|Aug 9 2021||55||Prevent DoS attack via passwords larger than 4k.||Download||Download|
|Aug 9 2021||56||
(HIGH)An administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml.
|Aug 9 2021||57||
(HIGH)Arbitrary command execution in Custom Layout Update via block method.
|Aug 9 2021||58||
(HIGH)Arbitrary file delete in customer media allows remote code execution.
|Aug 9 2021||59||This patch adds brute force attack prevention to customer login via Frontend and API as well as admin panel login. If enabled this feature prevents brute force login attacks by disabling the login feature once the failed login attempts limit is reached. With every failed login attempt the login retry time increases. This time is respecting the max_execution_time setting. The failed login attempts counter will be reset if a successful login is detected before it reaches the login attempt limit.
Customer Login: To enable this feature, go to
Admin Login: To enable this feature, go to
API: To enable this feature, go to
|Sep 8 2021||60||Some of our customers are using netz98’s magerun tool to maintain their stores. With this patch we add additional compatibility for our last patch #59 features with magerun by adding a reload() Method to the Mage_Customer_Model_Customer.||Download||Download|
|Sep 8 2021||61||
(HIGH)An administrator with privileges to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. The fix applies to the Zend_Db::factory().
|Nov 4 2021||62||Improves deserialization performance for PHP 5.6. Please Note: We do not recommend to use anything older than PHP7.3. There’s no support available for older PHP Versions!||Download||Download|
|Nov 4 2021||63||Fixes an issue with brute force protection (patch #59) and requesting reset password link.||Download||Download|
|Nov 4 2021||64||
(CRITICAL)An administrator with the right to create or edit CMS pages was able to upload and execute arbitrary code using the wysiwyg editor.
|Jan 20 2022||65||
(CRITICAL)Improves security checks for patch #64 and adds compatibility with symlinked media directories.
|Jan 20 2022||66||Improves compatibility for third party code and patch #61.||Download||Download|
|Jan 20 2022||67||
(CRITICAL)Improves compatibility for import file uploads to ./var directory and patch #64.
|May 12 2022||68||
(CRITICAL)Fixes to prevent RCE attacks via Varien_Convert_Adapter_Zend_Cache and Mage_Dataflow_Model_Convert_Adapter_Zend_Cache. These classes were not used in Magento core code, thus we decided to remove them completely. We did not see any valid use case to change cache entries via import/export. Attention: If you use any of theses classes in your customization, please be aware that you have to change your custom code in order to stay compatible.
|May 12 2022||69||
(HIGH)This patch prevents sending passwords in emails in plain text. Passwords in emails will all be replaced with asterisks. One exception: If an administrator sets a new customer password via the admin panel, in this case you’ll now see a note on the input field that this password is sent in plain text. You now have a button to force sending a ‘Forgot Password’ email via the admin panel.
|May 12 2022||71||Fixes a session handling issue for downloadable products, introduced in SUPEE-11314.||Download||Download|
|May 19 2022||72||This patch fixes a bug of patch #69 which stopped account confirmation emails to work. With patch #69 we introduced code to redact the customer password from the customer object. This patch fixes a bug that caused the customer account confirmation email to stop working.||Download||Download|
|Jul 25 2022||73||This patch fixes an issue with the JS and CSS merge and sets the Content-Type on an educated guess basis.||Download||Download|
|Jul 25 2022||74||This patch disables the phar:// protocol to open and/or execute content of phar files (e. g. in the context of including templates). Many of the found vulnerabilities use phar:// files to exploit the system. Forbidding the opening of phar files and preventing the unserialization on them hardens Magento.||Download||Download|
|Jul 25 2022||75||This patch improves handling of admin passwords and makes sure to implement PCI security measures. You can now configure admin password strength settings in System > Configuration > Admin > Security > Admin Password Strength. You can set it to any of these values:
Password must contain at least 7 characters. Password must contain at least one number and one letter.
All of the rules above. Change password every 90 days. No repetition of the last 4 passwords. If password is set by another admin, it is forced to be changed. All admin passwords are forced to be changed on activation.
All of the rules above. Password must contain special characters.
|Jul 25 2022||76||
(CRITICAL)This patch fixes an issue where an admin could use the password forgot feature to escalate their privileges. This patch contains the SQL Formatter which is licensed under the MIT License.
|Jul 25 2022||77||This patch reduces deprecated messages with PHP 8.0/8.1.||Download||Download|
|Aug 10 2022||78||Patch (#75) introduced a new feature to harden administrator passwords with forced PCI compliance. Unfortunately this patch interfered with our previously introduced brute force protection (Patch #59). Patch #78 fixes compatibility of admin password PCI compliance (#75) with brute force protection (#59).||Download||Download|
|Oct 27 2022||79||This patch fixes a XSS vulnerability in Mage_Dataflow_Model_Convert_Adapter_Http::save() which allows the display of content via $this->getData() on the page using echo().||Download||Download|
|Oct 27 2022||80||This patch replaces rand() with mt_rand() since PHP 7.1 mt_rand() has superseded rand() completely, and rand() was made an alias for mt_rand().||Download||Download|
|Oct 27 2022||81||This patch improves Patch #78: If a user lacks permission to change his password, he is informed about it. This patch fixes the current redirect loop.||Download||Download|
|Oct 27 2022||82||This patch improves Patch #76: Read-Query detection is extended by DESCRIBE, TABLES, VALUES, and PREPARE.||Download||Download|
|Oct 27 2022||83||This patch adds a message ID to outgoing emails, because especially Google hardened their spam filter for emails without message ID.||Download||Download|
|Oct 27 2022||84||This patch provides support for MySQL 8.||Download||Download|
|Mar 16 2023||85||This patch improves PHP8 compatibility for Zend_Registry.||Download||Download|
|Mar 16 2023||86||This patch improves PHP8 compatibility for report.php.||Download||Download|
|Jun 2 2023||87||This patch improves password security by checking if password equals email address for customers and if password equals username or email address for admin users.||Download||Download|
|Jun 2 2023||88||This patch improves PHP8 compatibility for the catalog product action attribute form.||Download||Download|
|Jun 2 2023||89||This patch improves PHP8 compatibility for Mage_Api_Model_Wsdl_Config_Element.||Download||Download|
|Jun 2 2023||90||This patch fixed an login loop issue caused by missing setOrigData(). This patch also hardens bruteforce password protection.||Download||Download|
|Jun 2 2023||91||This patch fixes an issue with rejected mails due to incompatible line endings. After upgrading to PHP8, we noticed that all emails were rejected by some mail systems. As of PHP8, the mail() function separates all parts of an email using CRLF instead of LF. However, the Zend_Mail_Transport_Sendmail wrapper class still uses LF as line separator. This resulted in mails being sent with mixed line endings.||Download||Download|
WarningPlease make a database backup before installing patches live. For best results, use a file versioning tool such as Git to apply the patch.
We recommend testing patches in a staging environment first. After testing, the patches can then be installed live using versioning software such as Git. This way the patch can be applied locally (or in the staging environment), then committed and pushed normally. The steps, provided by our partner, are as follows:
- Upload the local file into the
<Magento_root>on the server using SFTP, SSH or your normal transport method.
- Verify the file is in the correct directory.
- In the command line interface, run the following command according to the patch extension:
- M1 Open Source:
$ patch -p1 --ignore-whitespace < /path/to/file
- M1 Commerce:
$ patch -p0 --ignore-whitespace < /path/to/file
- M1 Open Source:
- For visible changes in the user interface to be reflected, refresh the cache in the Admin under
System > Cache Management.
NoteIn some cases it will also be necessary to renew the indices.
Patches can also be undone, or reversed, with the
-R option (or use your version control to remove the changes):
- M1 Open Source:
$ patch -R -p1 < /path/to/file
- M1 Commerce:
$ patch -R -p0 < /path/to/file
- Magento 1 EOL Support
- How to Contact Support
- Web Controls
- How to Block Countries from Accessing Your Site
- How to Edit the Whitelist
- How to Edit the Blacklist
Have questions not answered here? Please Contact Support to get more help.
Was this page helpful?
Glad to hear it! Have any more feedback? Please share it here.
Sorry to hear that. Have any more feedback? Please share it here.