SUPEE-6788 is set of patches which resolves several security related issues.
In this patch its mainly addressed to bypass custom admin URL.
Following is the vulnerabilities addressed by this patch:
- Error Reporting in Setup Exposes Configuration - APPSEC-1102
- Filter Directives Can Allow Access to Protected Data - APPSEC-1057
- XXE/XEE attack on Zend XML functionality using multibyte payloads - APPSEC-1045
- Potential SQL Injection in Magento Core Model Based Classes - APPSEC-1063
- Potential remote code execution using Cron - APPSEC-1037
- Remote Code Execution/Information Leak Using File Custom Option - APPSEC-1079
- Cross site scripting with error messages - APPSEC-1039
- Potential remote code execution using error reports and downloadable products - APPSEC-1032
- Admin Path Disclosure - APPSEC-1034
- Insufficient Protection of Password Reset Process - APPSEC-1027
- Dev Folder Not Protected - APPSEC-1124
- Cross-site Scripting/Cache Poisoning - APPSEC-1030
If any extension that has admin functionality and uses non-default admin URLs (Custom Admin URLs) they will be affected by this patch.
Note: There are some other breakdowns, please refer the link for more info: http://magento.com/security/patches/supee-6788-technical-details
Please install the security patch. You can easily download this security patch from Magento Account.
While apply any new patch, its important to apply previous released patch as per Magento CE or EE version requirement.
Note : Before applying patches on production server, best practice is to apply this patch first in development server.
After testing if you feel that its working fine as expected then move to production server.