If you run a Magento eCommerce web site you should either upgrade or patch immediately! Magento have released a security patch (SUPEE-8788) which addresses the following:
- Remote code execution vulnerabilities with certain payment methods
- Possibility of SQL injections due to Zend Framework library vulnerabilities
- Cross-site scripting (XSS) risks with the Enterprise Edition private sale invitation feature
- Improper session invalidation when an Admin user logs out
- The ability for unauthorized users to back up Magento files or databases
Many of the online businesses that fall victim to a breach of payment card data could have prevented the initial hack simply by patching their systems. To avoid an expensive forensic investigation and potentially hefty fines, you should act now.
Foregenix' own WebScan can be used to check your current patch status and look for other external vulnerabilities within your eCommerce environment. Click here for more information and to run a scan.
SUPEE-8788, Enterprise Edition 1.14.3 and Community Edition 1.9.3 address Zend framework and payment vulnerabilities, ensure sessions are invalidated after a user logs out, and make several other security enhancements that are detailed below.