From Magento.com

Today, we are releasing a new patch (SUPEE-6788) and Community
Edition 1.9.2.2 to address 10+ security issues, including
remote code execution and information leak vulnerabilities.
This patch is unrelated to the Guruincsite malware issue. Be
sure to test the patch in a development environment first, as
it can affect extensions and customizations. Download the patch
from the Community Edition Download page and learn more at
http://magento.com/security/patches/supee-6788

For Magento Community Edition only prior to version
1.9.2.1:

Cross-site Scripting/Cache Poisoning –
APPSEC-1030

Type:

Cross-site Scripting (XSS) – Stored / Cache Poisoning

CVSSv3 Severity:

9.3 (Critical)

Known Attacks:

None

Description:

Unvalidated host header leaks into response and page.
Because the page can be cached, this leak poses a risk
for all store customers because any HTML or JavaScript
code can be injected. Such an exploit works only with
specific server configurations, and allows an attacker
to intercept a session or modify a page with fake
credit card forms, etc.

Note: While this issue is not applicable to out of the
box Magento Community installations, it could possibly
be exploited with 3rd party full page caching
extensions. This patch was also already included in
1.9.2.1 release.

Product(s) Affected:

Magento CE prior to 1.9.2.1

Fixed In:

EE 1.14.2.1

Reporter:

Internal (ECG)

Please refer to SECURITY
BEST PRACTICES FOR CE
 or SECURITY
BEST PRACTICES FOR EE
 for additional information
how to secure your site.

To download the patch, choose from the following options:

  • Partners: Go to the PARTNER PORTAL, select
    Technical Resources and then select Download from the
    Enterprise Edition panel. Next, navigate to Magento
    Enterprise Edition > Patches & Support and look for
    the folder titled “Security Patches –
    July October.”

  • Enterprise Edition Merchants: Go to MY ACCOUNT, select the
    Downloads tab, and then navigate to Magento Enterprise
    Edition > Support Patches. Look for the folder titled
    “Security Patches
    – October 2015.” Merchants can
    also upgrade to the latest version of the Enterprise
    Edition and receive the security fixes as part of the core
    code.

  • Community Edition Merchants: Patches for earlier
    versions of Community Edition can be found on the Community
    Edition DOWNLOAD PAGE (look
    for SUPEE-6788). Merchants can also UPGRADE
    TODAY
     to to the latest version of
    the 
    Community Edition and receive the security
    fixes as part of the core code.

Be sure to implement and test the patch in a development
environment first to confirm that it works as expected before
deploying it to a production site. Information about installing
patches for 
MAGENTO ENTERPRISE
EDITION
 and MAGENTO COMMUNITY
EDITION
 is available online.

– See more at: http://magento.com/security/patches/supee-6788#sthash.WvfpX4vc.dpuf