The latest Magento Security Update, also known as SUPEE-6788, fixes several security issues primarily around access to sensitive data such as database credentials, integration passwords, or customer passwords. One of the more critical parts of this update addresses a vulnerability in how third-party extensions traditionally access an admin URL. This patch addresses this vulnerability. Consequently, it has the potential to break third-party extensions, modules, and customizations. To ensure the security update does not break your site, Magento has released this security update with this fix “disabled”. This allows you and a Solutions Partner, like Crimson Agility, to address any vulnerable extensions, modules or customization before “enabling” it.
We highly recommend that you:
1. Install the Security Update on a development instance and validate all functionality, then move it to your live Magento instance immediately.
2. Evaluate extensions, modules, and customizations on your Magento instance for the vulnerability.
3. Address the vulnerable extensions, modules, and customizations as soon as possible.
4. “Enable” the fix for the admin URLs once all the vulnerabilities have been addressed.