Magento has released a new security patch for versions 1.6 and newer, SUPEE-6285
This bundle includes protection against the following security-related issues:
- Customer Information Leak via RSS and Privilege Escalation
- Request Forgery in Magento Connect Leads to Code Execution
- Cross-site Scripting in Wishlist
- Cross-site Scripting in Cart
- Store Path Disclosure
- Permissions on Log Files too Broad
- Cross-site Scripting in Admin
- Cross-site Scripting in Orders RSS
What you need to do
You must apply this new security patch as soon as possible. It can be downloaded from https://www.magentocommerce.com/download
You can either patch the store yourself using the instructions below, or submit a (chargeable) maintenance support ticket at https://www.theclientarea.info
where our support team can apply the patch on your behalf (est. 5-10 mins application time).
- Download the appropriate version of the patch for your store from https://www.magentocommerce.com/download
- After downloading the patch, upload it to your Magento document root
- Log in via SSH as www-data
- Change directory to your Magento installation (replace as necessary), Eg.
- Execute the patch by running `bash` followed by the patch filename, Eg.
- If the patch was applied successfully, you should see the following
Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.
- After patch application, thoroughly test your store including customer account registration and the full checkout process.
You can find more information from the official notice here, http://merch.docs.magento.com/ce/user_guide/Magento_Community_Edition_User_Guide.html#magento/patch-releases-2015.html