A new security patch has been released for Magento. This patch does not address any new security issues, however provides fixes for a few bugs.

Patch includes:

  • SUPEE-7978 Cart Merge – Carts with identical items now merge correctly
  • SUPEE-7822 SOAP API Patch – Fixes an issue that resulted in a 500 server error with certain API calls
  • SUPEE-7882 PHP 5.3 Compatibility – The patch is now compatible with PHP 5.3+
  • File Permissions – The patch restores less restrictive file permissions

Issues resolved:

  • Stored XSS via email address – APPSEC-1213
  • Stored XSS in Order Comments – APPSEC-1239
  • Stored XSS in Order – APPSEC-1260
  • Guest order view protection code vulnerable to brute-force attack – APPSEC-1270
  • Information Disclosure in RSS feed – APPSEC-1171
  • CSRF token not validated on backend login page – APPSEC-1206
  • Malicious files can be upload via backend – APPSEC-1306
  • CSRF leading to execution of admin actions after login – APPSEC-1179
  • Excel Formula Injection via CSV/XML export – APPSEC-1110
  • XSS in Product Custom Options – APPSEC-1267
  • Editing or Deleting Reviews without permission – APPSEC-1268
  • Disruption of email delivery – APPSEC-1177
  • CAPTCHA Bypass – APPSEC-1283
  • Admin path disclosure via Authorize.net – APPSEC-1208
  • XSS Payload in website’s translation table – APPSEC-1214
  • CSRF Delete Items from Cart – APPSEC-1212
  • XSS via custom options – APPSEC-1276
  • Risky serialized string filtering – APPSEC-1204
  • Reflected XSS in backend coupon entry – APPSEC-1305
  • Injected code can be stored in database – APPSEC-1240

Full patch notes can be found here