Magento Security Patches
Security Updates and News
- Magento Security Patch 2.2.1, 2.1.10 and 2.0.17 Update
- Magento 2.0.6 Security Update
- Magento 2.0.4 Security Update
- Magento 2.0.16 and 2.1.9 Security Update
- Magento 2.0.14 and 2.1.7 Security Update
- Magento Security Update 2.0.10 and 2.1.2
- SUPEE-6788 Address Zend Framework Vulnerability Update
- Magento Security Patch 2.0.1 Update
- SUPEE-6788 Technical Details
Magento Security Patch SUPEE-6788 Update
The Magento Security Patch SUPEE-6788 Update was released on October 27, 2015 to repair multiple vulnerabilities revealed by recent attacks. This patch is also included in the latest Magento Commerce and Open Source editions. Forix recommends vendors install this update today to remove multiple security risks. Learn more about what security issues were repaired and how Forix can help with installation.
Benefits of Magento Security Patch SUPEE-6788 Update
Security upgrades in the Magento Security Patch SUPEE-6788 Update protect stores from several security issues, including:
- Error Reporting Exposes Configuration (APPSEC-1102)
- Filter Directives Allows Access to Data (APPSEC-1057)
- XXE/XEE Attack (APPSEC-1045)
- Possible SQL Injection in Magento Core (APPSEC-1063)
- Potential Remote Code Execution (APPSEC-1037)
- File Custom Option Leaks Information (APPSEC-1079)
- Cross-site Scripting Errors (APPSEC-1039/APPSEC-1228)
- Error Reports/Downloaded Projects Remote Code (APPSEC-1032)
- Disclosure of Admin Path (APPSEC-1034)
- Vulnerability in Password Reset (APPSEC-1027)
- Dev Folder Unprotected (APPSEC-1124)
- Cross-site Scripting/Caching Poison (APPSEC-1030)
The Magento Security Patch SUPEE-6788 Update fixes multiple security issues revealed in recent attacks. This includes setup errors exposing data, filter directives allowing access to encrypted data, and an XXE/XEE attack on Zend XML functionality.
Forix encourages vendors to always use best practices regarding the security of their sites. They also recommend vendors keep their site updated and to watch for new patches.
For patch downloading, Forix recommends the following options:
Partners should go to the Partner Portal, find and select Technical Resources, then choose Download from the Commerce panel. Following that, partners should go to Magento Commerce Edition > Patches and Support to find the “Security Patches – October 2016” folder.
- Magento Commerce Edition Vendors
Commerce Edition vendors should go to My Account, choose the Downloads tab, and find Magento Commerce Edition > Support patches. Find the “Security Patches – October 2015” folder to get the latest patch. Vendors can upgrade to the most recent Commerce Edition, which has all of the security fixes included.
- Magento Open Source Edition Vendors
Open Source Edition vendors can find patches for previous versions of Magento Open Source Edition on the download page (search for SUPEE-6788). Vendors who choose to upgrade to the most recent Open Source Edition version will have the security fixes included in the upgrade.
Learn more about the risks addressed by Magento Security Patch SUPEE-6788 Vulnerability Update below.
- Error Reporting Exposes Configuration (APPSEC-1102) – Risk Rating: 7.5 (High)
Error messages during installation of Magento or an extension can reveal configuration and database access credentials.
- Filter Directives Allows Access to Data (APPSEC-1057) – Risk Rating: 7.5 (High)
An email template filter could call blocks and reveal customer data, including recent orders and passwords.
- XXE/XEE Attack (APPSEC-1045) – Risk Rating: 7.5 (High)
An attacker can force Magento to read XML via API contacts that contain local files references. This could expose passwords or configuration files.
Install the Magento Security Patch SUPEE-6788 Update Today
Forix urges all merchants to upgrade to the latest versions of Magento products or install the Magento Security Patch SUPEE-6788 Update today. Your site will be fully protected against a series of new threats. Forix offers help in installation to ensure a smooth process. Upgrade now to protect your store.