MAGENTO SECURITY PATCH SUPEE-6285 RELEASED
Categorized as : Security Patches
SUPEE-6285 is a bundle of eight patches that resolves several security-related issues.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Source: Magento
It is highly recommended by Magento to deploy these new security patches right away, to ensure optimal security and performance.
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-6285 patch, please contact our support team.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: Privilege Escalation / Insufficient Data Protection
CVSSv3 Severity | Security Bug | Description |
7.5 (High) | Customer Information Leak via RSS and Privilege Escalation | Improper check for authorized URL leads to customer information leak (order information, order IDs, customer name). Leaked information simplifies attack on guest Order Review, which exposes customer email, shipping and billing address. In some areas, the same underlying issue can lead to privilege escalation for Admin accounts. |
Issue Type: Cross-site Request Forgery
CVSSv3 Severity | Security Bug | Description |
9.3 (Critical) | Request Forgery in Magento Connect Leads to Code Execution | Cross-site request forgery in Magento Connect Manager allows an attacker to execute actions such as the installation of a remote module that leads to the execution of remote code. The attack requires a Magento store administrator, while logged in to Magento Connect Manager, to click a link that was prepared by the attacker. |
Issue Type: Cross-site Scripting (Other)
CVSSv3 Severity | Security Bug | Description |
5.3 (Medium) | Cross-site Scripting in Wishlist | This vulnerability makes it possible to include an unescaped customer name when Wishlist are sent. By manipulating the customer name, an attacker can use the store to send spoofing or phishing emails. |
Source: Magento
It is highly recommended by Magento to deploy these new security patches right away, to ensure optimal security and performance.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-6285 patch, please contact our support team.