Magento Security Update – SUPEE-6285

SUPEE-6285Magento security update: heads up

Magento released a flurry of security advice about the upcoming patches. The vulnerabilities are not new, but it appears there are still issued to fix.

In a stark contrast with the previous practice of springing patches on the community Magento released an advisory about the upcoming changes. The changes are quite fundamental. We expect a huge number of extensions to be affected. It’s time to act.

mVentory extensions updates

TradeMe extension:

  • Admin tab interface
  • Category matching interface
  • Account authorisation
  • Downloading CSV file

API / Android app:

  • Bulk edit actions
  • Create/remove access of customer account
  • Category matching interface
  • Downloading files from Magento system configuration pages

The app itself isn’t affected.

Front end editor:

  • Probably opening CMS page editor from the front end

S3CDN – image uploader to S3:

  • Uploading placeholders

Update schedule

We are working on TradeMe and API extensions right now and should have ready within 48 hours from now.

The Front End Toolbar should be ready by Tue, 27 Oct.

Our S3CDN extension will be pulled from Magento Connect and remain available on GitHub only. We are unlikely to patch it until we actually need to install it somewhere new.

Read more about: