Magento has recently uncovered some potential flaw and urged its users to immediately apply the patch SUPEE-6285. This is the third critical security patch released recently after SUPEE-5344, SUPEE-5994 and applies to all editions of the Magento Community and Enterprise software.
It is recommended that you either apply all the three patches or upgrade to the latest version of the application immediately to help protect your website from exposure to multiple security vulnerabilities.
What are the security issues that the releases safeguards against?
Even though there are no confirmed attacks reported, related to the following issues, Magento has raised critical warning to take the first step against attack, before it happens.
The patch takes care of the following vulnerabilities –
Attacker can exploit the vulnerability to impersonate as administrator, gaining access to the last orders feed and posing a serious threat by compromising sensitive data on the website.
Multiple security issues like cross-site scripting (XSS), cross-site request forgery (CSRF), and error path disclosure vulnerabilities have been addressed.
How do I download and apply these patches?
All site owners and administrators need to install immediately –
Enterprise Edition – Download a patch available for Enterprise Edition 1.9 and later releases
Community Edition – Download a patch available for Community Edition 1.4.1 to 220.127.116.11. Or you can install the latest release, Community Edition 1.9.2, that is now available for download.
Please Note –
To ensure correct working of the patch, you need to first implement SUPEE-5994 (issued in May)
Apply the right patch for your instance, as there are separate patches for each version of Magento.
The patches are not server wide, so if your store uses multiple Magento instances, you will need to apply a patch to each instance individually.
To read about more Magento Vulnerabilities, check our blog post:
Hackers Exploit Zero-Day Vulnerability in Ebay Magento Compromising Credit Card information
Major vulnerability discovered in Magento ecommerce. Apply Security Patch Immediately