MAGENTO SECURITY PATCH SUPEE-6482 RELEASED
Categorized as : Security Patches
SUPEE-6482 is a bundle of patches that resolve several security-related issues.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Source: Magento
It is highly recommended by Magento to deploy these new security patches right away, to ensure optimal security and performance.
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-6482 patch, please contact our support team.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: Remote File Inclusion
CVSSv3 Severity | Security Bug | Description |
5.3 (Medium) | Error Reporting in Setup Exposes Configuration | Incorrect encoding of API password can lead to probing internal network resources or remote file inclusion. |
Issue Type: Remote Code Execution (RCE)
CVSSv3 Severity | Security Bug | Description |
6.5 (Medium) | Autoloaded File Inclusion in Magento SOAP API | Incorrect validation of a SOAP API request makes it possible to autoload code. The exploit requires the attacker to first log in with API credentials. Depending on the PHP version and/or configuration settings, code can then be loaded from a remote location. |
Issue Type: Cross-site Scripting (XSS) - Stored / Cache Poisoning
CVSSv3 Severity | Security Bug | Description |
9.3 (Critical) | Cross site scripting with error messages/CSRF/Session fixation | Unvalidated host header leaks into response and page. Because the page can be cached, this leak poses a risk for all store customers because any HTML or JavaScript code can be injected. Such an exploit works only with specific server configurations, and allows an attacker to intercept a session or modify a page with fake credit card forms, etc. |
9.3 (Critical) | Cross-site Scripting in Gift Registry Search | Cross-site scripting vulnerability affects registered users. Attack through unescaped search parameter. Risk of cookie theft and impersonating as the user. |
Source: Magento
It is highly recommended by Magento to deploy these new security patches right away, to ensure optimal security and performance.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-6482 patch, please contact our support team.