CVE-2016-2212

Name of the Vulnerable Software and Affected Versions Magento Enterprise Edition versions prior to 1.14.2.3 Magento Community Edition versions prior to 1.9.2.3

Description The issue allows remote attackers to obtain sensitive order information. This is achieved by exploiting the getOrderByStatusUrlKey function in the Mage Rss Helper Order class. The exploitation occurs through the order id in a JSON object in the data parameter in an RSS feed request to the "index.php/rss/order/status" endpoint.

Recommendations For Magento Enterprise Edition versions prior to 1.14.2.3, update to version 1.14.2.3 or later. For Magento Community Edition versions prior to 1.9.2.3, update to version 1.9.2.3 or later.