magentoMagento has recently released a critical patch, if you run Magento, update today.

You can see more information at:

Always make sure you have up to date backups of your site before applying a patch.

What does this patch fix?

Quite a few things including:

With some payment methods it might be possible to execute malicious PHP code during checkout.

A bug in Zend Framework value escaping allows a malicious user to inject SQL through the ordering or grouping parameters. While there are no known frontend entry point vulnerabilities that would allow for a full SQL injection, we’ve found an entry point in the Magento Admin panel, and other entry points most likely exist.

It is possible to use the Magento Enterprise Edition invitations feature to insert malicious JavaScript that might be executed in the admin context.

With access to any CMS functionality, an attacker with administrator permissions can use blocks to exfiltrate information stored in cache. This sensitive information includes store configuration, encryption key, and database connection details. Additionally, it might be possible to execute code.

In certain configurations, it is possible to log in as existing store customer while knowing only his email address, not his password.
The import/export functionality in Magento unserializes data supplied from the Admin dashboard without proper checks. This can lead to possible code execution if a malicious user has Magento Admin access, even if access is limited to the import/export functionality.

It is possible to manipulate the full page cache to store incorrect pages under regular page URL entries. This issue affects only Magento Enterprise Edition.

It is possible to create a category that contains malicious JavaScript code in the category name. This code will then be executed in other parts of the Admin panel, such as URL Rewrites. To exploit this issue, a user would need admin access to catalog management.

If you need any assistance from us, please get in touch.