Magento Security Patches
Security Updates and News
- Magento Security Patch 2.2.1, 2.1.10 and 2.0.17 Update
- Magento 2.0.6 Security Update
- Magento 2.0.4 Security Update
- Magento 2.0.16 and 2.1.9 Security Update
- Magento 2.0.14 and 2.1.7 Security Update
- Magento Security Update 2.0.10 and 2.1.2
- SUPEE-6788 Address Zend Framework Vulnerability Update
- Magento Security Patch 2.0.1 Update
- SUPEE-6788 Technical Details
Magento Security Patch SUPEE-6482
The Magento Security Patch SUPEE-6482 bundle was released on August 4, 2015 to repair multiple problems revealed by recent security compromises. The latest Magento Commerce and Open Source editions include this security patch. Vendors using older versions of Magento products should install this update to address several risks.
Benefits of Magento Security Patch SUPEE-6482 Bundle
The Security Patch SUPEE-6482 bundle was released to provide protection from numerous security risks, including:
- SSRF Vulnerability in WSDL File (APPSEC-1020)
- SOAP API Autoloaded File Inclusion (APPSEC-1019)
- Cross-site Scripting Errors/Poisoning (APPSEC-1030)
- Cross-site Scripting: Gifting Registry (APPSEC-1022)
The Magento Security Patch SUPEE-6482 bundle addressed multiple security problems. This includes attacks using encoding errors of passwords, faulty validation of SOAP API requests, leaks by non-validated host headers, and more.
Forix urges developers to make use of industry best practices regarding security. Developers should update their site regularly and stay up-to-date with new patches.
To download the Magento Security Patch SUPEE-6482 bundle:
Partners must navigate to their portal, choose Technical Resources, and click Download from the Commerce panel. Following that, partners should go to Magento Commerce Edition > Patches and Support and find the folder named “Security Patches – July 2015.”
- Magento Commerce Edition Vendors
Vendors running the Magento Commerce Edition need to access the My Account page, click Downloads, and look for Magento Commerce Edition > Support patches. Find the “Security Patches – July 2015” folder to download the latest patch. Upgrading to the most recent version of Commerce Edition provides the same protection.
- Magento Open Source Edition Vendors
Open Source Edition vendors should search on the download page for security patches to previous versions of Magento Open Source Edition (search for SUPEE-6285). Vendors choosing to upgrade to the most recent Open Source Edition do not need to install this patch bundle.
Below is a list of issues addressed in the Magento Security Patch SUPEE-6482 bundle:
- Cross-site Scripting Errors/Poisoning (APPSEC-1030) – Risk Rating: 9.3 Critical
- Cross-site Scripting: Gifting Registry (APPSEC-1022) – Risk Rating: 9.3 Critical
Attackers can exploit vulnerabilities in cross-site scripting by attacking un-escaped search parameters to steal customer logins. This attack allows them to steal cookies and impersonate users. This affects Commerce editions only.
- SOAP API Autoloaded File Inclusion (APPSEC-1019) – Risk Rating: 6.5 Medium
When a SOAP API request is incorrectly validated, an exploit exists that allows attacker to auto-load code into the servers. Attackers first login with API credentials. After that, if certain PHP versions and/or configuration settings are present, the attacker can load code remotely.
- SSRF Vulnerability in WSDL File (APPSEC-1020) – Risk Rating: 5.3 Medium
Attackers can probe internal network resources or place files in the directory by exploiting the incorrect encoding present in the API passwords.
Download the Magento Security Patch SUPEE-6482 Bundle Today
Install the Magento Security Patch SUPEE-6482 bundle now to ensure maximum protection of your storefront. Forix stands ready to help you with this installation and has the expertise to ensure a smooth installation.