A new security patch has been released by Magento to address a variety of security issues:
- Attackers can force the admin login page to appear regardless of the URL
- Attacker could potentially obtain address information during the checkout process
- Potential customer information link through recurring billing profiles
- Local file path disclosure using media cache
- Cross site scripting using Magento downloader
- Spreadsheet formula injection allowing attacker to execute a formula in an exported spreadsheet
- Cross site scripting with Authorise.net
- Malicious package can override system files
It is strongly reccomended that this patch is installed as quickly as possible.
Full patch notes can be found here
