Magento Security Alert

Who is affected? – Users of Magento Community Edition and Enterprise Edition.

Have these issues been addressed? – The SUPEE-5994 Patch Bundle covers eight different issues that are listed in the article below.

SUPEE-5994 Patch Bundle

On May 14, 2015 Magento released a bundle of eight patches that addresses the following issues:

  • Admin Path Disclosure – Patch addresses internal information leakage where an attacker can force the Admin Login page to appear by directly calling a module, regardless of the URL.This exposes the Admin URL on the page, and makes it easier to initiate password attacks.
  • Customer Address Leak through Checkout – Information leak that enables an attacker to obtain address information from the address books of other store customers during the checkout process.
  • Customer Information Leak through Recurring Profile – Information leak that allows an attacker to use fake image URLs to expose internal server paths.
  • Local File Path Disclosure Using Media Cache – Local File Path Disclosure Using Media Cache; Attacker can use fictitious image URLs to generate exceptions that expose internal server paths, regardless of settings.
  • Cross-site Scripting Using Authorize.Net Direct Post Module – Cross-site scripting (XSS) that enables an attacker to execute JavaScript in a customer session. If a customer clicks a malicious link, the attacker can steal cookies and hijack the session.
  • Spreadsheet Formula Injection – Formula injection is used to insert formulas into spreadsheets. The formula is able to modify data, export personal data to another site, or cause remote code execution.
  • Malicious Package Can Overwrite System Files – Attacker creates a malicious extension package that can be installed by a customer. Extension can include functionality to overwrite files and then install programming used to gather data or alter data within Magento.

Source: Magento Community Edition 2015 Patches – SUPEE-5994 Patch Bundle 5994

The patch provided by Magento covers both its Community Edition and Enterprise Edition of the software. If you have not applied these patches, it is urgent that you apply it as soon as possible. In order to get the this patch bundle, please go to Magento – Downloads.

Thoughts on “Magento Security Alert

  • The site cannot be published to the specified location.
    The specified site location does not have ionCube Loader support. Please contact the server administrator.

    • Hello Jim,

      Did you have a specific question regarding the Magento Security alert?

      Kindest Regards,
      Scott M

Leave a Reply