Magento has made available a new patch bundle that addresses several serious security vulnerabilities. Magento CE & EE users should update immediately to ensure that their eCommerce store and its users are not put at risk.

Among the vulnerabilities addressed are the potential leaking of customer information and cross-site scripting vulnerabilities.

The patch bundle — which is part of the recently released Magento Community Edition 1.9.2 — has been given the code SUPEE-6285, and is available from Magento’s site. Before applying the SUPEE-6285 patch bundle, you must also have applied SUPEE-5994, which is available at the above link.

Applying The Patch

The easiest way to get the fixes included in SUPEE-6285 is to update to the most recent version of Magento Community Edition. If you would rather install the patch without upgrading, follow the instructions below.

To apply the patch:

• Log in to your server via SSH.
• Change directory to the root of your Magento install (yourdomain.com/html).
• Execute the patch with the following command, changing the patch file name to match the version you have downloaded: ‘sh patch_file_name.sh’
  Example:
  sh PATCH_SUPEE-6285.8.0.0_v1-2015-02-10-08-10-38.sh
• Once installed, your Magento caches should be flushed. Re-compile if you are using the Magento compiler.

We also recommend first testing the patch on your development environment before placing it live on your production site.

As always, if you have any question, please feel free to email our support team at [email protected].

Get Future Security Updates From Magento

Magento recently launched a Security Alert Registry to inform Magento users of security related information. It’s the best way to get the most recent Magento security news.

What Does SUPEE-6285 Fix?

The new patch addresses a host of security vulnerabilities. Full details are available in the Magento 1.9.2 change-log, but among the most significant fixes are:

• An RSS customer information leak and privilege escalation
• Cross-site scripting vulnerabilities in wish lists. This vulnerability could be exploited by an attacker to send phishing emails from a Magento store.
• Cross-site scripting vulnerabilities in the cart. This allows attackers to use URL parameters to insert JavaScript into a page and harvest user information and authentication credentials.

As usual, you should update your store as soon as possible. Because the patch has been published, the vulnerabilities are now widely known. Any delay in applying the patch will put shoppers and retailers at risk.