caHome
caMail
caManagement
caBlog
caSupport
Billing
caAtlas
caWeb
Magento SUPEE-6285 Patch, which is a bundle of eight patches, provides resolutions for several security related issues. We will discuss this patch, as well as its vulnerabilities.
Magento SUPEE-6285 Patch
Customer Information Leak via RSS and Privilege Escalation – APPSEC-996
Type: Privilege Escalation / Insufficient Data Protection
CVSSv3 Severity: 7.5 (High)
Known Attacks: None
Description: Improper check for authorized URL leads to customer information leak of the following:
- order information
- order IDs
- customer name
Leaked information simplifies attack on guest Order Review. Therefore, this exposes customer email, shipping and billing address. However, in some areas, the same underlying issue can lead to privilege escalation for Admin accounts.
Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In: CE 1.9.2.0, EE 1.14.2.1
Reporter: Erik Wohllebe
Request Forgery in Magento Connect Leads to Code Execution – APPSEC-924
Type: Cross-site Request Forgery
CVSSv3 Severity: 9.3 (Critical)
Known Attacks: None
Description: Cross-site request forgery in Magento Connect Manager allows an attacker to execute actions, which includes the installation of a remote module. Therefore, this leads to the execution of remote code. However, the attack requires a Magento store administrator to log into Magento Connect Manager. Then, they click a link that was prepared by the attacker.
Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In: CE 1.9.2.0, EE 1.14.2.1
Reporter: Nicolas Melendez
Cross-Site Scripting in Wishlist – APPSEC-1012
Type: Cross-site Scripting (Other)
CVSSv3 Severity: 5.3 (Medium)
Known Attacks: None
Description: This vulnerability makes it possible to include an unescaped customer name when the Wishlist sends. By manipulating the customer name, an attacker can use the store to send spoofing or phishing emails.
Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In: CE 1.9.2.0, EE 1.14.2.1
Reporter: Bastian Ike
Cross-Site Scripting in Cart – APPSEC-1005
Type: Cross-site Scripting (Reflected)
CVSSv3 Severity: 6.1 (Medium)
Known Attacks: None
Description: The redirection link on an empty cart page uses non-validated user input. Therefore, this makes it possible to use URL parameters to inject JavaScript code into the page.
Cookies and other information can send to the attacker, who is impersonating a customer.
Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In: CE 1.9.2.0, EE 1.14.2.1
Reporter: Hannes Karlsson
Store Path Disclosure – APPSEC-847
Type: Information Leakage (Internal)
CVSSv3 Severity: 5.3 (Medium)
Known Attacks: None
Description: Directly accessing the URL of files that are in relation to Magento Connect produces an exception, which includes the server path. The exception generates regardless of the configuration settings that control the display of exceptions. However, there is a low risk of attackers gaining a sufficient understanding of the site structure to target an attack.
Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In: CE 1.9.2.0, EE 1.14.2.1
Reporter: Ryan Satterfield
Permissions on Log Files Too Broad – APPSEC-802
Type: Information Leakage (Internal)
CVSSv3 Severity: 3.8 (Low)
Known Attacks: None
Description: Permission settings that are too broad allow for the creation of log files. Therefore, this allows them to be read or altered by another user on the same server. However, the risk of an internal information leak is low.
Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In: CE 1.9.2.0, EE 1.14.2.1
Reporter: Ryan Satterfield
Cross-Site Scripting in Admin – APPSEC-852
Type: Cross-site Scripting (Stored)
CVSSv3 Severity: 6.5 (Medium)
Known Attacks: None
Description: An attacker can inject JavaScript into the title of a Widget from the Magento Admin. The code can be later executed when another administrator opens the Widget page.
The risk requires the attacker to have administrator access to the store. However, when executed, the attacker can take over other administrator accounts.
Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In: CE 1.9.2.0, EE 1.14.2.1
Reporter: Sasi Levi
Cross-Site Scripting in Orders RSS – APPSEC-1012
Type: Cross-site Scripting (Stored)
CVSSv3 Severity: 5.3 (Medium)
Known Attacks: None
Description: The vulnerability allows an attacker to include an unescaped customer name in the New Orders RSS feed. By manipulating the customer name, an attacker can inject incorrect or malicious data into the feed. Therefore, this exposes the store to risk.
Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
Fixed In: CE 1.9.2.0, EE 1.14.2.1
Reporter: Bastian Ike
Refer to Security Best Practices for CE or Security Best Practices for EE for additional information how to secure your site.
Before deploying the patch to a production site, implement and test it in a development environment. Therefore, this will help you confirm that it works as expected.
If you have any questions or concerns about Magento SUPEE-6285 Patch, don’t hesitate to contact us with the link below!
