Magento Security Patch SUPEE-5994

The Magento Security Patch SUPEE-5994 eight-patch bundle was released on May 14, 2015 to apply solutions to several security issues. The current editions of Magento Commerce and Open Source include this patch. Older versions of Magento products require this update. Learn more about the issues addressed and where to get this update below.

Benefits of Magento Security Patch SUPEE-5994 Bundle

Security Patch SUPEE-5994 bundle solves several security risks, including:

  • Cross-site Scripting: Magento Downloader (APPSEC-979)
  • Code Injection in Spreadsheet Formulas (APPSEC-978)
  • Cross-site Scripting: Authorize.net (APPSEC-907)
  • Admin Path Disclosure (APPSEC-977)
  • Information Leak: Checkout (APPSEC-945)
  • Information Leak: Recurring Profile (APPSEC-926)
  • Local Path Disclosure (APPSEC-965)
  • Overwritten System Files (APPSEC-535)

Release Information

The Magento Security Patch SUPEE-5994 bundle was issued to solve security issues along multiple vectors. These areas include leaking information, code injection, and unintentional path disclosures.

All vendors should use industry best practices in security. Keeping sites up-to-date with upgrades and new patches provides the best protection available.

Installation

To acquire the Magento Security Patch SUPEE-5994 bundle:

  • Partners
    Go to the portal and select Technical Resources, followed by Download located on the Commerce panel. Next, select Magento Commerce Edition > Patches and Support and open the folder named “Security Patches – May 2015.”
  • Magento Commerce Edition Vendors
    For Magento Commerce Edition users, access your account page, click on Downloads, and select Magento Commerce Edition > Support patches. Next, look for the “Security Patches – May 2015” folder to download the latest patch. As more recent versions of Commerce Edition include this patch, Forix also recommends upgrading.
  • Magento Open Source Edition Vendors
    You can find security patches for all previous versions of Magento Open Source Edition on the download page (search for SUPEE-5994). Alternatively, if you choose to upgrade to a current Open Source Edition, you will get this update automatically.

Issues Addressed

The following is a list of solutions included in the Magento Security Patch SUPEE-5994 bundle.

  1. Cross-site Scripting: Magento Downloader (APPSEC-979) – Risk Rating: 8.2 High
    Attackers using this exploit could execute JavaScript code in a Magento Connect Manager login session. Clicking a malicious link while logged in as an administrator allows attackers to steal the session and install extensions.
  2. Code Injection in Spreadsheet Formulas (APPSEC-978) – Risk Rating: 6.1 Medium
    This exploit allows attackers to input a formula in a Microsoft Excel spreadsheet. Once executed, this formula can change data, steal personal data, or execute remote code. This formula triggers a warning, which a user simply clicks dismiss to activate.
  3. Cross-site Scripting: Authorize.net (APPSEC-907) – Risk Rating: 6.1 Medium
    This issue allows a malicious entity to execute JavaScript on a page visible to customers when they log in. If a user clicks the malicious link, the attacker can hijack the customer’s session by stealing their cookies. This also exposes personal data and compromises the checkout page.
  4. Information Leak: Checkout (APPSEC-945) – Risk Rating: 5.3 Medium
    This attack exposes addresses, names, and phone numbers to theft. An attacker can gain access to this information by creating an account with a sequential ID, adding a product in the cart, and proceeding to checkout.

Install the Magento Security Patch SUPEE-5994 Bundle Today

Forix urges vendors to upgrade to a more recent version or to install the Magento Security Patch SUPEE-5994 bundle today to protect storefronts from attack. Forix offers customer support with installing this patch to guarantee a smooth, trouble-free transition.

Resources:
https://magento.com/security/patches/supee-5994