Magento has just released patch SUPEE-6482, which addresses four different vulnerabilities affecting Magento Community and Enterprise editions. We strongly advise all Magento store administrators to update to the latest version to address these vulnerabilities (220.127.116.11 for Community or 18.104.22.168 for Enterprise). Those that do not want to update to the most current version of Magento must manually apply the SUPEE-6482 patch to fix these same vulnerabilities.
The first two vulnerabilities involve issues with input validation in the Magento API. In one of these, an attacker could remotely include arbitrary PHP code in an API request. This type of attack only works when used against specific server and PHP configurations and while logged in with valid API credentials. However, this still presents a risk in cases where a compromised API account has only limited access because attackers may exploit it to escalate their privileges. The other API vulnerability allows an attacker to probe internal network resources using a malformed API password.
The next two vulnerabilities addressed by SUPEE-6482 affect only Magento Enterprise users, but are much more severe. The worst of these involves cache poisoning, where attackers use unvalidated host headers to modify pages in a Magento store, though this will only work on specific server configurations. Finally, the patch addresses a cross-site-scripting vulnerability in the Magento’s gift registry search. This vulnerability allows attackers to steal cookies or impersonate Magento users, presumably by tricking those users into following a malicious link.
For more information about how to apply the patches to your Magento store, refer to the instructions on the Magento website.
For additional details about the SUPEE-6482 patch, refer to the Magento release notes.