magento-open-source-security
Magento sent an email today to all accounts registered on it’s official website regarding a security update. If you’re using Magento Community Edition you are exposed to remote code execution. So please read the message below and go to Magento’s Official Website and download a security patch for this vulnerabilities.

Few words about Magento

  • More than 240,000 merchants worldwide put their trust in Magento eCommerce software
  • Magento Enterprise Edition – Magento Enterprise Edition is the high performance, scalable eCommerce solution for fast-growing and large businesses
  • Magento Community Edition – Magento Community Edition is the perfect solution if you’re a developer or tech-savvy merchant that wants to explore the flexibility of the Magento eCommerce platform. You can modify—and even contribute to—the core code and engage with our passionate community for support and guidance
  • Source – http://magento.com/products/overview

You can read the email message regarding the security updates below

Dear Magento Community Edition merchant,

If you have not done so already, download and install 2 previously-released patches that address potential Magento software security risks. The patches prevent an attacker from remotely executing code on Magento software. These issues affect all versions of Magento Community Edition.

Check Point Software Technologies has informed us that they plan to send out a press release in the coming days making one of the security issues widely known, possibly alerting hackers who may try to exploit the issue. While we have not received any reports of merchants being impacted by the security risks, it’s important to ensure the patches are in place as a preventative measure before the issue is publicized.

RECOMMENDED NEXT STEPS:

  • Check for unknown files in the web server document root directory. If you find any, you may be impacted.
  • Download and implement 2 patches from the Magento Community Edition download page.
    • SUPEE-5344 – Addresses a potential remote code execution exploit (Added Feb 9, 2015)
    • SUPEE-1533 – Addresses two potential remote code execution exploits (Added Oct 3, 2014)
    • Note: Different versions of the patch are available for Magento Community Edition 1.4.x through 1.9.x.
  • Implement and test the patches in a development environment first to confirm that they work as expected before deploying them to your production site.

Magento takes security seriously and will continue to actively work to identify and resolve potential issues.

Best Regards,
The Magento Team

How to download

You can access Magento’s Community Edition download page from here. Search on the page for the area “Magento Community Edition Patches” and download the right security patch.

The most significant security patches are:

SUPEE-5344 – Addresses a potential remote code execution exploit. – Added Feb 9, 2015

and

SUPEE-1533 – Addresses two potential remote code execution exploits. – Added Oct 3, 2014