SUPEE-6482
August 4, 2015
SUPEE-6482 is a bundle of patches that resolve several security-related issues.
You can find more details on the vulnerabilties address by this patch below:
| SSRF Vulnerability in WSDL file - APPSEC-1020 | |
|---|---|
| Type: | Remote File Inclusion |
| CVSSv3 Severity: | 5.3 (Medium) |
| Known Attacks: | None |
| Description: | Incorrect encoding of API password can lead to probing internal network resources or remote file inclusion. |
| Product(s) Affected: | Magento CE prior to 1.9.2.1, and Magento EE prior to 1.14.2.1 |
| Fixed In: | CE 1.9.2.1, EE 1.14.2.1 |
| Reporter: | Matthew Barry |
| Autoloaded File Inclusion in Magento SOAP API - APPSEC-1019 | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 6.5 (Medium) |
| Known Attacks: | None |
| Description: | Incorrect validation of a SOAP API request makes it possible to autoload code. The exploit requires the attacker to first log in with API credentials. Depending on the PHP version and/or configuration settings, code can then be loaded from a remote location. |
| Product(s) Affected: | Magento CE prior to 1.9.2.1, and Magento EE prior to 1.14.2.1 |
| Fixed In: | CE 1.9.2.1, EE 1.14.2.1 |
| Reporter: | Egidio Danilo Romano |
For Magento Enterprise Edition Only:
| Cross-site Scripting/Cache Poisoning - APPSEC-1030 | |
|---|---|
| Type: | Cross-site Scripting (XSS) - Stored / Cache Poisoning |
| CVSSv3 Severity: | 9.3 (Critical) |
| Known Attacks: | None |
| Description: | Unvalidated host header leaks into response and page. Because the page can be cached, this leak poses a risk for all store customers because any HTML or JavaScript code can be injected. Such an exploit works only with specific server configurations, and allows an attacker to intercept a session or modify a page with fake credit card forms, etc. |
| Product(s) Affected: | Magento EE prior to 1.14.2.1 |
| Fixed In: | EE 1.14.2.1 |
| Reporter: | Internal (ECG) |
| Cross-site Scripting in Gift Registry Search - APPSEC-1022 | |
|---|---|
| Type: | Cross-site Scripting (XSS) - Reflected |
| CVSSv3 Severity: | 9.3 (Critical) |
| Known Attacks: | None |
| Description: | Cross-site scripting vulnerability affects registered users. Attack through unescaped search parameter. Risk of cookie theft and impersonating as the user. |
| Product(s) Affected: | Magento EE prior to 1.14.2.1 |
| Fixed In: | EE 1.14.2.1 |
| Reporter: | Hannes Karlsson/Vaimo |
Please refer to Security Best Practices for CE or Security Best Practices for EE for additional information how to secure your site.
To download the patch, choose from the following options:
-
Partners: Go to the Partner Portal, select Technical Resources and then select Download from the Enterprise Edition panel. Next, navigate to Magento Enterprise Edition > Patches & Support and look for the folder titled "Security Patches – July 2015."
-
Enterprise Edition Merchants: Go to My Account, select the Downloads tab, and then navigate to Magento Enterprise Edition > Support Patches. Look for the folder titled “Security Patches – July 2015.” Merchants can also upgrade to the latest version of the Enterprise Edition and receive the security fixes as part of the core code.
-
Community Edition Merchants: Patches for earlier versions of Community Edition can be found on the Community Edition download page (look for SUPEE-6285). Merchants can also upgrade today to to the latest version of the Community Edition and receive the security fixes as part of the core code.
Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing patches for Magento Enterprise Edition and Magento Community Edition is available online.