MAGENTO SECURITY PATCH SUPEE-5994 RELEASED
Categorized as : Security Patches
SUPEE-5994 is a bundle of eight patches that resolve several security-related issues.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Source: Magento
It is highly recommended by Magento to deploy these new security patches right away, to ensure optimal security and performance.
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-5994 patch, please contact our support team.
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: Information Leakage (Internal)
| CVSSv3 Severity | Security Bug | Description |
| 5.3 (Medium) | Admin Path Disclosure | An attacker can force the Admin Login page to appear by directly calling a module, regardless of the URL.This exposes the Admin URL on the page, and makes it easier to initiate password attacks. |
Issue Type: Customer Address Leak through Checkout
| CVSSv3 Severity | Security Bug | Description |
| 5.3 (Medium) | Information Disclosure / Leakage (Confidential or Restricted) | Enables an attacker to obtain address information (name, address, phone) from the address books of other store customers. During the checkout process, the attacker can gain access to an arbitrary address book by entering a sequential ID. No payment information is returned. The only requirement for the attacker is to create an account in store, put any product into the cart, and start the checkout process. This attack can be fully automated, and a functional proof of concept exists. |
Issue Type: Information Disclosure / Leakage (Confidential or Restricted)
| CVSSv3 Severity | Security Bug | Description |
| 5.3 (Medium) | Customer Information Leak through Recurring Profile | This issue enables attacker to obtain address (name, address, phone), previous order (items, amounts) and payment method (payment method, recurrence) information from the recurring payment profiles of other store customers. |
Issue Type: Cross-site Scripting (XSS) - Reflected
| CVSSv3 Severity | Security Bug | Description |
| 8.2 (High) | Customer Information Leak through Recurring Profile | This issue enables an attacker to execute JavaScript code within the context of a Magento Connect Manager session. If the administrator clicks a malicious link, the session can be stolen, and malicious extensions installed. |
Source: Magento
It is highly recommended by Magento to deploy these new security patches right away, to ensure optimal security and performance.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-5994 patch, please contact our support team.
Related Posts
-
![Magento inventory management]( "Magento inventory management")
-
![ASP - blog - publish size]( "ASP - blog - publish size")
5+ Gateways of Recurring PaymentsJun 9, 2023
-
![2023 E-Commerce Trends]( "2023 E-Commerce Trends")
