Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>
Idioma: En

Magento Tells Users to Update Immediately to Address Seven Security Issues

Magento released a new bundle of patches on Thursday night to Address several security-related issues, including flaws that made it easier for attackers to initiate password attacks and gather address information from store customers. Magento is warning users of all current versions of Magento CE and EE to update immediately.

According to a notice in its patch releases, SUPEE-5994 is a bundle of seven patches that can be downloaded from the Downloads section of Magento accounts.

The admin path disclosure security issue allows an attacker to force the Admin Login page to appear by directly calling a module, regardless of the URL, making it easier to initiate password attacks.

The customer address leak through checkout vulnerability allows attackers to obtain address information (name, address, phone) from the address books of other store customers. The attack can be fully automated.

Other security issues include a spreadsheet formula injection which allows attackers to execute a formula when exported and opened in a spreadsheet. Magento says the formula can “modify data, export personal data to another site, or cause remote code execution.”

The cross-site scripting attack that one of the patches addresses enabled an attacker to execute JavaScript in the context of a customer session. Once a customer clicks a malicious link, “the attacker can steal cookies and hijack the session, which can expose personal information and compromise checkout.”

Magento provides guides for users to apply the patch, but Nimbus Hosting is recommending clients ask their Magento developer to install the patch.

“It needs to be uploaded to your website root folder, then a command needs to be run via SSH to apply it. We’ve seen it cause coding issues/conflicts (rare) but we’d still recommend having your developer on hand just in case. If you need one, drop us an email and we’ll send over some of the best we work with to get a quote from,” Nimbus said in a blog post on Friday.

At the end of April, Magento released a patch for the “Magento Shoplift” vulnerability which allowed remote code execution and attackers to obtain control over a store and its sensitive data, including personal customer information.

Source

Related Articles

The post Magento Tells Users to Update Immediately to Address Seven Security Issues appeared first on Domainz Guru.



This post first appeared on Web Hosting | Domain Name Registration Blogs, please read the originial post: here

Share the post

Magento Tells Users to Update Immediately to Address Seven Security Issues

×

Subscribe to Web Hosting | Domain Name Registration Blogs

Get updates delivered right to your inbox!

Thank you for your subscription

×