{"id":3599,"date":"2015-07-08T08:03:29","date_gmt":"2015-07-08T08:03:29","guid":{"rendered":"https:\/\/www.inmotionhosting.com\/support\/2015\/07\/08\/magento-security-release-7-7-2015\/"},"modified":"2015-07-08T08:03:29","modified_gmt":"2015-07-08T08:03:29","slug":"magento-security-release-7-7-2015","status":"publish","type":"post","link":"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/","title":{"rendered":"Magento Security Patch Release 7-7-2015"},"content":{"rendered":"<p class=\"alert alert-danger\"><b>Who is affected?<\/b> &#8211; Users of Magento Community Edition prior to 1.9.2.0.<\/p>\n<p class=\"alert alert-success\"><b>Have these issues been addressed?<\/b> &#8211; The SUPEE-6285 Patch Bundle covers eight different issues that are listed in the article below.  <\/p>\n<h2>SUPEE-6285 Patch Bundle<\/h2>\n<p>On June 7, 2015 Magento released a bundle of eight patches that addresses the following issues:<\/p>\n<ul>\n<li><b>Customer Information Leak via RSS and Privilege Escalation<\/b> &#8211; Improper check for authorized URL leads to customer information leak (order information, order IDs, customer name). Leaked information simplifies attack on guest Order Review, which exposes customer email, shipping and billing address. In some areas, the same underlying issue can lead to privilege escalation for Admin accounts. <\/li>\n<li><b>Request Forgery in Magento Connect Leads to Code Execution<\/b> &#8211; Cross-site request forgery in Magento Connect Manager allows an attacker to execute actions such as the installation of a remote module that leads to the execution of remote code. The attack requires a Magento store administrator, while logged in to Magento Connect Manager, to click a link that was prepared by the attacker. <\/li>\n<li><b>Cross-site Scripting in Wishlist<\/b> &#8211; This vulnerability makes it possible to include an unescaped customer name when Wishlist are sent. By manipulating the customer name, an attacker can use the store to send spoofing or phishing emails. <\/li>\n<li><b>Cross-site Scripting in Cart<\/b> &#8211; The redirection link on an empty cart page uses non-validated user input, which makes it possible to use URL parameters to inject JavaScript code into the page. Cookies and other information can be sent to the attacker, who is impersonating a customer.  <\/li>\n<li><b>Store Path Disclosure<\/b> &#8211; Directly accessing the URL of files that are related to Magento Connect produces an exception that includes the server path. The exception is generated regardless of the configuration settings that control the display of exceptions.There is a low risk of attackers gaining a sufficient understanding of the site structure to target an attack.<\/li>\n<li><b>Permissions on Log Files too Broad<\/b> &#8211; Log files are created with permission settings that are too broad, that allows them to be read or altered by another user on the same server. The risk of an internal information leak is low.<\/li>\n<li><b>Cross-site Scripting in Admin<\/b> &#8211; An attacker can inject JavaScript into the title of a Widget from the Magento Admin. The code can be later executed when another administrator opens the Widget page. The risk requires the attacker to have administrator access to the store. However, when executed, the attacker can take over other administrator accounts. <\/li>\n<li><b>Cross-site Scripting in Orders RSS<\/b> &#8211;  \t  The vulnerability allows an attacker to include an unescaped customer name in the New Orders RSS feed. By manipulating the customer name, an attacker can inject incorrect or malicious data into the feed, and expose the store to risk. <\/li>\n<\/ul>\n<p> <i>Source: <a href=\"https:\/\/merch.docs.magento.com\/ce\/user_guide\/Magento_Community_Edition_User_Guide.html?mkt_tok=3RkMMJWWfF9wsRojuaTKc%2B%2FhmjTEU5z16uwlXqS2hpZ41El3fuXBP2XqjvpVQcdlML7HRw8FHZNpywVWM8TIL9kXt9BlJAzqD2w%3D#magento\/patch-releases-2015.html\" target=\"_blank\">Magento Community Edition 2015 Patches &#8211; SUPEE-6285 Patch Bundle 6285<\/a> <\/i> <\/p>\n<p>The patch provided by Magento covers both its <i>Community Edition<\/i> and <i>Enterprise Edition<\/i> of the software.  If you have not applied these patches, it is urgent that you apply it as soon as possible. In order to get the this patch bundle, please go to <a href=\"https:\/\/www.magentocommerce.com\/products\/downloads\/magento\/\" target=\"_blank\">Magento &#8211; Downloads<\/a>.  <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Who is affected? &#8211; Users of Magento Community Edition prior to 1.9.2.0. Have these issues been addressed? &#8211; The SUPEE-6285 Patch Bundle covers eight different issues that are listed in the article below. SUPEE-6285 Patch Bundle On June 7, 2015 Magento released a bundle of eight patches that addresses the following issues: Customer Information Leak<a class=\"moretag\" href=\"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/\"> Read More ><\/a><\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[72,4299],"tags":[],"class_list":["post-3599","post","type-post","status-publish","format-standard","hentry","category-magento","category-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Magento Security Patch Release 7-7-2015 | InMotion Hosting<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Magento Security Patch Release 7-7-2015 | InMotion Hosting\" \/>\n<meta property=\"og:description\" content=\"Who is affected? &#8211; Users of Magento Community Edition prior to 1.9.2.0. Have these issues been addressed? &#8211; The SUPEE-6285 Patch Bundle covers eight different issues that are listed in the article below. SUPEE-6285 Patch Bundle On June 7, 2015 Magento released a bundle of eight patches that addresses the following issues: Customer Information Leak Read More &gt;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/\" \/>\n<meta property=\"og:site_name\" content=\"InMotion Hosting Support Center\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inmotionhosting\/\" \/>\n<meta property=\"article:published_time\" content=\"2015-07-08T08:03:29+00:00\" \/>\n<meta name=\"author\" content=\"Scott Mitchell\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@InMotionHosting\" \/>\n<meta name=\"twitter:site\" content=\"@InMotionHosting\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Scott Mitchell\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/\"},\"author\":{\"name\":\"Scott Mitchell\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/d850efb28ef3573db7d24b0d8fa9eaed\"},\"headline\":\"Magento Security Patch Release 7-7-2015\",\"datePublished\":\"2015-07-08T08:03:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/\"},\"wordCount\":516,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\"},\"articleSection\":[\"Magento\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/\",\"name\":\"Magento Security Patch Release 7-7-2015 | InMotion Hosting\",\"isPartOf\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#website\"},\"datePublished\":\"2015-07-08T08:03:29+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.inmotionhosting.com\/support\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Magento Security Patch Release 7-7-2015\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#website\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/\",\"name\":\"InMotion Hosting Support Center\",\"description\":\"Web Hosting Support &amp; Tutorials\",\"publisher\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.inmotionhosting.com\/support\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\",\"name\":\"InMotion Hosting\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg\",\"contentUrl\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg\",\"width\":696,\"height\":696,\"caption\":\"InMotion Hosting\"},\"image\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/inmotionhosting\/\",\"https:\/\/x.com\/InMotionHosting\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/d850efb28ef3573db7d24b0d8fa9eaed\",\"name\":\"Scott Mitchell\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/author\/scott\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Magento Security Patch Release 7-7-2015 | InMotion Hosting","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/","og_locale":"en_US","og_type":"article","og_title":"Magento Security Patch Release 7-7-2015 | InMotion Hosting","og_description":"Who is affected? &#8211; Users of Magento Community Edition prior to 1.9.2.0. Have these issues been addressed? &#8211; The SUPEE-6285 Patch Bundle covers eight different issues that are listed in the article below. SUPEE-6285 Patch Bundle On June 7, 2015 Magento released a bundle of eight patches that addresses the following issues: Customer Information Leak Read More >","og_url":"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/","og_site_name":"InMotion Hosting Support Center","article_publisher":"https:\/\/www.facebook.com\/inmotionhosting\/","article_published_time":"2015-07-08T08:03:29+00:00","author":"Scott Mitchell","twitter_card":"summary_large_image","twitter_creator":"@InMotionHosting","twitter_site":"@InMotionHosting","twitter_misc":{"Written by":"Scott Mitchell","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/#article","isPartOf":{"@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/"},"author":{"name":"Scott Mitchell","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/d850efb28ef3573db7d24b0d8fa9eaed"},"headline":"Magento Security Patch Release 7-7-2015","datePublished":"2015-07-08T08:03:29+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/"},"wordCount":516,"commentCount":0,"publisher":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#organization"},"articleSection":["Magento","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/","url":"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/","name":"Magento Security Patch Release 7-7-2015 | InMotion Hosting","isPartOf":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#website"},"datePublished":"2015-07-08T08:03:29+00:00","breadcrumb":{"@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/magento\/magento-security-release-7-7-2015\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inmotionhosting.com\/support\/"},{"@type":"ListItem","position":2,"name":"Magento Security Patch Release 7-7-2015"}]},{"@type":"WebSite","@id":"https:\/\/www.inmotionhosting.com\/support\/#website","url":"https:\/\/www.inmotionhosting.com\/support\/","name":"InMotion Hosting Support Center","description":"Web Hosting Support &amp; Tutorials","publisher":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inmotionhosting.com\/support\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.inmotionhosting.com\/support\/#organization","name":"InMotion Hosting","url":"https:\/\/www.inmotionhosting.com\/support\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/","url":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg","contentUrl":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg","width":696,"height":696,"caption":"InMotion Hosting"},"image":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inmotionhosting\/","https:\/\/x.com\/InMotionHosting"]},{"@type":"Person","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/d850efb28ef3573db7d24b0d8fa9eaed","name":"Scott Mitchell","url":"https:\/\/www.inmotionhosting.com\/support\/author\/scott\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"primary_category":null,"_links":{"self":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts\/3599","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/comments?post=3599"}],"version-history":[{"count":0,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts\/3599\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/media?parent=3599"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/categories?post=3599"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/tags?post=3599"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}