Patch SUPEE-5994 fixes a leak that allows anyone to look up the URL of your Magento backend. Through this leak hackers are able to crack your password using brute force attacks and exploit other possible leaks.

SUPEE-5994 is a bundle of eight patches that resolve several security-related issues.

FOLLOWING ARE THE DETAILS ON THE VULNERABILITIES ADDRESSED BY THIS PATCH –

Admin Path Disclosure – APPSEC-977

  • Type: Information Leakage (Internal)
  • CVSSv3 Severity: 5.3 (Medium)
  • Known Attacks: None
  • Description: An attacker can force the Admin Login page to appear by directly calling a module, regardless of the URL.This exposes the Admin URL on the page, and makes it easier to initiate password attacks.
  • Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
  • Fixed In: CE 1.9.2.0, EE 1.14.2.1
  • Reporter: Peter O’Callaghan

Customer Address Leak through Checkout – APPSEC-945

  • Type: Information Disclosure / Leakage (Confidential or Restricted)
  • CVSSv3 Severity: 5.3 (Medium)
  • Known Attacks: None
  • Description: Enables an attacker to obtain address information (name, address, phone) from the address books of other store customers.
    During the checkout process, the attacker can gain access to an arbitrary address book by entering a sequential ID. No payment information is returned. The only requirement for the attacker is to create an account in store, put any product into the cart, and start the checkout process.
    This attack can be fully automated, and a functional proof of concept exists.
  • Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
  • Fixed In: CE 1.9.2.0, EE 1.14.2.1
  • Reporter: Erik Wohllebe

Customer Information Leak through Recurring Profile – APPSEC-926

  • Type: Information Disclosure / Leakage (Confidential or Restricted)
  • CVSSv3 Severity: 5.3 (Medium)
  • Known Attacks: None
  • Description: This issue enables attacker to obtain address (name, address, phone), previous order (items, amounts) and payment method (payment method, recurrence) information from the recurring payment profiles of other store customers.
    The attacker just create an account with the store. While viewing own recurring profile, the attacker can request an arbitrary recurring profile using a sequential ID. The information is then returned to the attacker.
    This attack can be fully automated, and a manual proof of concept exists.
  • Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
  • Fixed In: CE 1.9.2.0, EE 1.14.2.1
  • Reporter: Manuel Iglesias

Local File Path Disclosure Using Media Cache – APPSEC-965

  • Type: Information Leakage (Internal)
  • CVSSv3 Severity: 5.3 (Medium)
  • Known Attacks: None
  • Description: Attacker can use fictitious image URLs to generate exceptions that expose internal server paths, regardless of settings.
  • Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
  • Fixed In: CE 1.9.2.0, EE 1.14.2.1
  • Reporter: Omar M

Cross-site Scripting (XSS) Using Magento Downloader – APPSEC-979

  • Type: Cross-site Scripting (XSS) – Reflected
  • CVSSv3 Severity: 8.2 (High)
  • Known Attacks: None
  • Description: This issue enables an attacker to execute JavaScript code within the context of a Magento Connect Manager session. If the administrator clicks a malicious link, the session can be stolen, and malicious extensions installed.
  • Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
  • Fixed In: CE 1.9.2.0, EE 1.14.2.1
  • Reporter: Robert Foggia / Trustwave

Spreadsheet Formula Injection – APPSEC-978

  • Type: Formula Injection
  • CVSSv3 Severity: 6.1 (Medium)
  • Known Attacks: None
  • Description: Attacker can provide input that executes a formula when exported and opened in a spreadsheet such as Microsoft Excel. The formula can modify data, export personal data to another site, or cause remote code execution. The spreadsheet usually displays a warning message, which the user must dismiss for the attack to succeed.
  • Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
  • Fixed In: CE 1.9.2.0, EE 1.14.2.1
  • Reporter: iSec Partners (external audit)

Cross-site Scripting Using Authorize.Net Direct Post Module – APPSEC-907

  • Type: Cross-Site Scripting (XSS) – Reflected
  • CVSSv3 Severity: 6.1 (Medium)
  • Known Attacks: None
  • Description: Enables an attacker to execute JavaScript in the context of a customer session. If a customer clicks a malicious link, the attacker can steal cookies and hijack the session, which can expose personal information and compromise checkout.
  • Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
  • Fixed In: CE 1.9.2.0, EE 1.14.2.1
  • Reporter: Matthew Barry

Malicious Package Can Overwrite System Files – APPSEC-535

  • Type: Abuse of Functionality
  • CVSSv3 Severity: 3.1 (Low)
  • Known Attacks: None
  • Description: Attacker can publish a malicious extension package. When the package is installed by a customer, it can overwrite files on the server. The attacker must first publish a package, and then entice a customer to install it. The package might contain a malicious load, as well.
  • Product(s) Affected: Magento CE prior to 1.9.2.0, and Magento EE prior to 1.14.2.1
  • Fixed In: CE 1.9.2.0, EE 1.14.2.1
  • Reporter: iSec Partners (external audit)