New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

SUPEE-6482

August 4, 2015

SUPEE-6482 is a bundle of patches that resolve several security-related issues.

You can find more details on the vulnerabilties address by this patch below:

SSRF Vulnerability in WSDL file - APPSEC-1020
Type:Remote File Inclusion
CVSSv3 Severity:5.3 (Medium)
Known Attacks:None
Description:

Incorrect encoding of API password can lead to probing internal network resources or remote file inclusion.

Product(s) Affected:Magento CE prior to 1.9.2.1, and Magento EE prior to 1.14.2.1
Fixed In:CE 1.9.2.1, EE 1.14.2.1
Reporter:Matthew Barry
Autoloaded File Inclusion in Magento SOAP API - APPSEC-1019
Type:Remote Code Execution (RCE)
CVSSv3 Severity:6.5 (Medium)
Known Attacks:None
Description:

Incorrect validation of a SOAP API request makes it possible to autoload code. The exploit requires the attacker to first log in with API credentials. Depending on the PHP version and/or configuration settings, code can then be loaded from a remote location.

Product(s) Affected:Magento CE prior to 1.9.2.1, and Magento EE prior to 1.14.2.1
Fixed In:CE 1.9.2.1, EE 1.14.2.1
Reporter:Egidio Danilo Romano

For Magento Enterprise Edition Only:

Cross-site Scripting/Cache Poisoning - APPSEC-1030
Type:Cross-site Scripting (XSS) - Stored / Cache Poisoning
CVSSv3 Severity:9.3 (Critical)
Known Attacks:None
Description:

Unvalidated host header leaks into response and page. Because the page can be cached, this leak poses a risk for all store customers because any HTML or JavaScript code can be injected. Such an exploit works only with specific server configurations, and allows an attacker to intercept a session or modify a page with fake credit card forms, etc.

Product(s) Affected:Magento EE prior to 1.14.2.1
Fixed In:EE 1.14.2.1
Reporter:Internal (ECG)
Cross-site Scripting in Gift Registry Search - APPSEC-1022
Type:Cross-site Scripting (XSS) - Reflected
CVSSv3 Severity:9.3 (Critical)
Known Attacks:None
Description:

Cross-site scripting vulnerability affects registered users. Attack through unescaped search parameter. Risk of cookie theft and impersonating as the user.

Product(s) Affected:Magento EE prior to 1.14.2.1
Fixed In:EE 1.14.2.1
Reporter:Hannes Karlsson/Vaimo

Please refer to Security Best Practices for CE or Security Best Practices for EE for additional information how to secure your site.

To download the patch, choose from the following options:

  • Partners: Go to the Partner Portal, select Technical Resources and then select Download from the Enterprise Edition panel. Next, navigate to Magento Enterprise Edition > Patches & Support and look for the folder titled "Security Patches – July 2015."

  • Enterprise Edition Merchants: Go to My Account, select the Downloads tab, and then navigate to Magento Enterprise Edition > Support Patches. Look for the folder titled “Security Patches – July 2015.” Merchants can also upgrade to the latest version of the Enterprise Edition and receive the security fixes as part of the core code.

  • Community Edition Merchants: Patches for earlier versions of Community Edition can be found on the Community Edition download page (look for SUPEE-6285). Merchants can also upgrade today to to the latest version of the Community Edition and receive the security fixes as part of the core code.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing patches for Magento Enterprise Edition and Magento Community Edition is available online.