Today Magento released a critical security patch called SUPEE-6285. This patch addresses the following security issues:
- It prevents attackers from posing as an administrator to gain access to the last orders feed, which contains personally identifiable information that can then be used to obtain more sensitive information in follow-on attacks. Your customers can check to see if they have been compromised by reviewing their server logs for someone trying to reach the /rss/NEW location.
- It closes a number of security gaps including cross-site scripting (XSS), cross-site request forgery (CSRF), and error path disclosure vulnerabilities.
This security patch has been applied to every Magento website we support.
Here's the complete announcement from Magento regarding this security issue and patch.