Who is affected? – Users of Magento Community Edition and Enterprise Edition.
Have these issues been addressed? – The SUPEE-5994 Patch Bundle covers eight different issues that are listed in the article below.
SUPEE-5994 Patch Bundle
On May 14, 2015 Magento released a bundle of eight patches that addresses the following issues:
- Admin Path Disclosure – Patch addresses internal information leakage where an attacker can force the Admin Login page to appear by directly calling a module, regardless of the URL.This exposes the Admin URL on the page, and makes it easier to initiate password attacks.
- Customer Address Leak through Checkout – Information leak that enables an attacker to obtain address information from the address books of other store customers during the checkout process.
- Customer Information Leak through Recurring Profile – Information leak that allows an attacker to use fake image URLs to expose internal server paths.
- Local File Path Disclosure Using Media Cache – Local File Path Disclosure Using Media Cache; Attacker can use fictitious image URLs to generate exceptions that expose internal server paths, regardless of settings.
- Spreadsheet Formula Injection – Formula injection is used to insert formulas into spreadsheets. The formula is able to modify data, export personal data to another site, or cause remote code execution.
- Malicious Package Can Overwrite System Files – Attacker creates a malicious extension package that can be installed by a customer. Extension can include functionality to overwrite files and then install programming used to gather data or alter data within Magento.
The patch provided by Magento covers both its Community Edition and Enterprise Edition of the software. If you have not applied these patches, it is urgent that you apply it as soon as possible. In order to get the this patch bundle, please go to Magento – Downloads.