Are you still vulnerable after applying a Magento security patch?

Screenshot of the popin displayed in your back-office which notify about security patches

I salute Magento and all its partners for the notifications about security issues found.
Magento notify you in the back-office with some notifications.

These patchs are all available from the Magento download page and are distributed under a .sh file. You have just to run mypatchfile.sh and that’s it, you are secured!?

NO!

The patchs provided patches the app/code/core files, so if you are on a non customised Magento, yes you’re patched.
But if you have made some passive overloads (eg copy the related file in app/code/community or app/code/local code pool folders), you are not patched!

The only way to patch your source code is to copy the files which have the security issue into the app/code/community or app/code/local code pools, and apply path on this copy (by updating the patch file) or to copy manually the security fix into your overload.

Also do not forget if you use the Magento compilation to recompile the content after applying paths. If not, you are also not patched.