A new security patch has been released by Magento to address a variety of security issues:

  • Attackers can force the admin login page to appear regardless of the URL
  • Attacker could potentially obtain address information during the checkout process
  • Potential customer information link through recurring billing profiles
  • Local file path disclosure using media cache
  • Cross site scripting using Magento downloader
  • Spreadsheet formula injection allowing attacker to execute a formula in an exported spreadsheet
  • Cross site scripting with Authorise.net
  • Malicious package can override system files

It is strongly reccomended that this patch is installed as quickly as possible.

Full patch notes can be found here