SUPEE-6482 is a bundle of of patches that resolve several security-related issues.
Cross-site scripting vulnerability affects registered users. Attack through unescaped search parameter. Risk of cookie theft and impersonating as the user.
Incorrect encoding of API password can lead to probing internal network resources or remote file inclusion.
Incorrect validation of a SOAP API request makes it possible to autoload code. The exploit requires the attacker to first log in with API credentials. Depending on the PHP version and/or configuration settings, code can then be loaded from a remote location.
SUPEE-6285 is a bundle of eight patches that resolves several security-related issues.
The vulnerability allows an attacker to include an unescaped customer name in the New Orders RSS feed. By manipulating the customer name, an attacker can inject incorrect or malicious data into the feed, and expose the store to risk.
The risk requires the attacker to have administrator access to the store. However, when executed, the attacker can take over other administrator accounts.
Log files are created with permission settings that are too broad, that allows them to be read or altered by another user on the same server. The risk of an internal information leak is low.
Directly accessing the URL of files that are related to Magento Connect produces an exception that includes the server path. The exception is generated regardless of the configuration settings that control the display of exceptions.There is a low risk of attackers gaining a sufficient understanding of the site structure to target an attack.
- 1 of 3