Release Notes
Magento Community Edition 1.9.2.1
We are pleased to bring to you Magento Community Edition, version 1.9.2.1; a release that includes several significant security enhancements.
Important! Use Magento Community Edition 1.9.2.1 or later for all new installations and upgrades to ensure that you have the latest fixes, features, and security updates. If you use an earlier version, you must install the SUPEE-5344 patch to protect your store.
Security Patches
Stop by our new Magento Security Center, and sign up for the Security Alert Registry to receive direct notification from our security team of any emerging issues and solutions.
SUPEE-6482 Patch Bundle
This patch bundle protects your Magento Community Edition installation against two potential threats. The bundle also includes two additional patches that apply to Magento Enterprise only. This patch is a proactive, preventative measure, as there are no known attacks at this time.
Autoloaded File Inclusion in Magento SOAP API
-
Patch Details
Type:
Remote Code Execution (RCE)
CVSS Severity:
6.5 (Medium)
Known Attacks:
None
Description:
Incorrect validation of a SOAP API request makes it possible to autoload code. The exploit requires the attacker to first log in with API credentials. Depending on the PHP version and/or configuration settings, code can then be loaded from a remote location.
Product(s) Affected:
Magento CE prior to 1.9.2.1, and Magento EE prior to 1.14.2.1
Fixed In:
CE 1.9.2.1 and EE 1.14.2.1
Reporter:
Egidio Danilo Romano
SSRF Vulnerability in WSDL File
-
Patch Details
Type:
Remote File Inclusion
CVSS Severity:
5.3 (Medium)
Known Attacks:
None
Description:
Incorrect encoding of API password can lead to probing internal network resources or remote file inclusion.
Product(s) Affected:
Magento CE prior to 1.9.2.1, and Magento EE prior to 1.14.2.1
Fixed In:
CE 1.9.2.1 and EE 1.14.2.1
Reporter:
Matthew Barry
For Magento Enterprise Edition Only
-
Cross-site Scripting Using Unvalidated Headers Patch Details
Type:
Cross-site Scripting/Cache Poisoning
CVSS Severity:
9.3 (Critical)
Known Attacks:
None
Description:
Unvalidated host header leaks into response and page. Because the page can be cached, this leak poses a risk for all store customers because any HTML or JavaScript code can be injected. Such an exploit works only with specific server configurations, and allows an attacker to intercept a session or modify a page with fake credit card forms, etc.
Product(s) Affected:
Magento EE prior to 1.14.2.1
Fixed In:
EE 1.14.2.1
Reporter:
Internal (ECG)
-
XSS in Gift Registry Search Patch Details
Type:
Cross-site Scripting (XSS)
CVSS Severity:
6.1 (Medium)
Known Attacks:
None
Description:
Cross-site scripting vulnerability affects registered users. Attack through unescaped search parameter. Risk of cookie theft and impersonating as the user.
Product(s) Affected:
Magento EE prior to 1.14.2.1
Fixed In:
EE 1.14.2.1
Reporter:
Hannes Karlsson/Vaimo
Was this helpful?
A quick rating takes only 3 clicks. Add a comment to help us improve Magento even more.