New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

SUPEE-6285

July 7, 2015

SUPEE-6285 is a bundle of eight patches that resolves several security-related issues.

You can find more details on the vulnerabilties address by this patch below:

Customer Information Leak via RSS and Privilege Escalation - APPSEC-996
Type:Privilege Escalation / Insufficient Data Protection
CVSSv3 Severity:7.5 (High)
Known Attacks:None
Description:

Improper check for authorized URL leads to customer information leak (order information, order IDs, customer name). Leaked information simplifies attack on guest Order Review, which exposes customer email, shipping and billing address. In some areas, the same underlying issue can lead to privilege escalation for Admin accounts.

Product(s) Affected:Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In:CE 1.9.2.0, EE 1.14.2.1
Reporter:Erik Wohllebe
Request Forgery in Magento Connect Leads to Code Execution - APPSEC-924
Type:Cross-site Request Forgery
CVSSv3 Severity:9.3 (Critical)
Known Attacks:None
Description:

Cross-site request forgery in Magento Connect Manager allows an attacker to execute actions such as the installation of a remote module that leads to the execution of remote code. The attack requires a Magento store administrator, while logged in to Magento Connect Manager, to click a link that was prepared by the attacker.

Product(s) Affected:Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In:CE 1.9.2.0, EE 1.14.2.1
Reporter:Nicolas Melendez
Cross-site Scripting in Wishlist - APPSEC-1012
Type:Cross-site Scripting (Other)
CVSSv3 Severity:5.3 (Medium)
Known Attacks:None
Description:

This vulnerability makes it possible to include an unescaped customer name when Wishlist are sent. By manipulating the customer name, an attacker can use the store to send spoofing or phishing emails.

Product(s) Affected:Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In:CE 1.9.2.0, EE 1.14.2.1
Reporter:Bastian Ike
Cross-site Scripting in Cart - APPSEC-1005
Type:Cross-site Scripting (Reflected)
CVSSv3 Severity:6.1 (Medium)
Known Attacks:None
Description:

The redirection link on an empty cart page uses non-validated user input, which makes it possible to use URL parameters to inject JavaScript code into the page.

Cookies and other information can be sent to the attacker, who is impersonating a customer.

Product(s) Affected:Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In:CE 1.9.2.0, EE 1.14.2.1
Reporter:Hannes Karlsson
Store Path Disclosure - APPSEC-847
Type:Information Leakage (Internal)
CVSSv3 Severity:5.3 (Medium)
Known Attacks:None
Description:

Directly accessing the URL of files that are related to Magento Connect produces an exception that includes the server path. The exception is generated regardless of the configuration settings that control the display of exceptions.There is a low risk of attackers gaining a sufficient understanding of the site structure to target an attack.

Product(s) Affected:Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In:CE 1.9.2.0, EE 1.14.2.1
Reporter:Ryan Satterfield
Permissions on Log Files too Broad - APPSEC-802
Type:Information Leakage (Internal)
CVSSv3 Severity:3.8 (Low)
Known Attacks:None
Description:

Log files are created with permission settings that are too broad, that allows them to be read or altered by another user on the same server. The risk of an internal information leak is low.

Product(s) Affected:Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In:CE 1.9.2.0, EE 1.14.2.1
Reporter:Ryan Satterfield
Cross-site Scripting in Admin - APPSEC-852
Type:Cross-site Scripting (Stored)
CVSSv3 Severity:6.5 (Medium)
Known Attacks:None
Description:

An attacker can inject JavaScript into the title of a Widget from the Magento Admin. The code can be later executed when another administrator opens the Widget page.

The risk requires the attacker to have administrator access to the store. However, when executed, the attacker can take over other administrator accounts.

Product(s) Affected:Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In:CE 1.9.2.0, EE 1.14.2.1
Reporter:Sasi Levi
Cross-site Scripting in Orders RSS - APPSEC-1012
Type:Cross-site Scripting (Stored)
CVSSv3 Severity:5.3 (Medium)
Known Attacks:None
Description:

The vulnerability allows an attacker to include an unescaped customer name in the New Orders RSS feed. By manipulating the customer name, an attacker can inject incorrect or malicious data into the feed, and expose the store to risk.

Product(s) Affected:Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In:CE 1.9.2.0, EE 1.14.2.1
Reporter:Bastian Ike

Please refer to Security Best Practices for CE or Security Best Practices for EE for additional information how to secure your site.

To download the patch, choose from the following options:

  • Partners: Go to the Partner Portal, select Technical Resources and then select Download from the Enterprise Edition panel. Next, navigate to Magento Enterprise Edition > Patches & Support and look for the folder titled "Security Patches – July 2015."

  • Enterprise Edition Merchants: Go to My Account, select the Downloads tab, and then navigate to Magento Enterprise Edition > Support Patches. Look for the folder titled “Security Patches – July 2015.” Merchants can also upgrade to the latest version of the Enterprise Edition and receive the security fixes as part of the core code.

  • Community Edition Merchants: Patches for earlier versions of Community Edition can be found on the Community Edition download page (look for SUPEE-6285). Merchants can also upgrade today to to the latest version of the Community Edition and receive the security fixes as part of the core code.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing patches for Magento Enterprise Edition and Magento Community Edition is available online.