646
Magento released a new pack of Security updates called SUPEE-7405 that resolves several security-related issues. The can be considered as a mega updates addressing 20 know security issues in Magento. The issues ranges from brute-force attack to captcha vulnerability to payment gateway fix. We highly recommend all Magento users to patch up their website with the latest security updates at the earliest to avoid being attacked or compromised. here is a list of security updates. For more information, you can visit Magento Security blog.
- Stored XSS via email address – APPSEC-1213
- Stored XSS in Order Comments – APPSEC-1239
- Stored XSS in Order – APPSEC-1260
- Guest order view protection code vulnerable to brute-force attack – APPSEC-1270
- Information Disclosure in RSS feed – APPSEC-1171
- CSRF token not validated on backend login page – APPSEC-1206
- Malicious files can be upload via backend – APPSEC-1306
- CSRF leading to execution of admin actions after login – APPSEC-1179
- Excel Formula Injection via CSV/XML export – APPSEC-1110
- XSS in Product Custom Options – APPSEC-1267
- Editing or Deleting Reviews without permission – APPSEC-1268
- Disruption of email delivery – APPSEC-1177
- CAPTCHA Bypass – APPSEC-1283
- Admin path disclosure via Authorize.net – APPSEC-1208
- XSS Payload in website’s translation table – APPSEC-1214
- CSRF Delete Items from Cart – APPSEC-1212
- XSS via custom options – APPSEC-1276
- Risky serialized string filtering – APPSEC-1204
- Reflected XSS in backend coupon entry – APPSEC-1305
- Injected code can be stored in database – APPSEC-1240