SQL Injection in Magento Core
Magento has released a new security update fixing multiple types of vulnerabilities including Cross-Site Request Forgery, Cross-Site Scripting, SQL Injection, and Remote Code Execution.
To be exploited, the majority of these vulnerabilities require the attacker to be authenticated on the site and have some level of privilege.
One of the bugs listed includes an SQL Injection vulnerability which can be exploited without any form of privilege or authentication. Given the sensitive nature of the data Magento ecommerce sites handle on a daily basis, this is a security threat that should be patched by affected site owners as soon as possible.