January 25, 2016
All Magento websites have been patched for all clients on both Community and Enterprise versions of Magento.
January 20, 2016
Magento released a bundle of patches today for both the Community and Enterprise, Patch SUPEE-7405. Here are the security problems addressed in this patch:
- Cross-site Scripting (XSS) - Stored
- Severity = 9.3 (Critical)
- Cross-site Scripting (XSS) - Stored
- Severity = 9.3 (Critical)
- Severity = 9.3 (Critical)
- Cross-site Scripting (XSS) - Stored
- Severity = 7.5 (High)
- Information Leakage
- Severity = 7.5 (High)
- Cross-site Request Forgery (CSRF)
- Severity = 7.4 (High)
- Insufficient Protection
- Severity = 6.5 (Medium)
- Cross-site Request Forgery (CSRF)
- Severity = 6.1 (Medium)
- Insufficient Data Protection
- Severity = 5.4 (Medium)
- Denial of Service
- Severity = 5.3 (Medium)
- Brute Force (Generic) / Insufficient Anti-automation
- Severity = 5.3 (Medium)
- Information Disclosure (Internal)
- Severity = 5.3 (Medium)
- Cross-site Scripting (XSS) - Stored
- Severity = 4.3 (Medium)
- Cross-site Scripting (XSS) - Stored
- Severity = 3.8 (Low)
- Cross-site Scripting (XSS) - Reflected
- Severity = 0.0 (Low)
- Improper Input Handling
- Severity = 0.0 (None)
We realize the above is cryptic and understanding each vulnerability would be very difficult. However, the above does illustrate the number of security-related vulnerabilities and the criticality of each. If you are interested in learning more about these vulnerabilities, please visit Magento's website:
Modern Retail is testing this patch now and will be rolling it out to your website as soon as possible. We'll be posting additional information about patch here so please check back for the latest updates.
Please submit a Support Request if you have any questions about this patch. Thank you.