Adobe frequently releases security patches, addressing important vulnerabilities in Magento. Most vulnerabilities are of the “XSS/CSRF” type. These may enable an attacker to intercept administrator sessions. More rarely, “unauthorized RCE/SQLi” bugs are discovered, which are typically more dangerous as they hand full control of your store to a third party.

eComscan will alert when you are running an outdated and vulnerable core installation.

See our secure release/hotfix matrix to determine which patches or upgrades you need.

Sansec strongly recommends to install these security patches as soon as possible. In the past, published vulnerabilities have been massively exploited within days of publication.

An overview of the most recent critical patch releases for Magento 2:

• 2022-10-11: Cross-site Scripting (Stored XSS) in 2.4.5, 2.4.4-p1
• 2022-08-09: XML injection vulnerability in 2.4.3-p2, 2.3.7-p3
• 2022-04-12: Improper Input Validation in 2.4.3-p1, 2.3.7-p2
• 2021-10-13: CSRF bug may leak admin access in 2.4.2-p2, 2.4.3, 2.3.7-p1
• 2021-08-13: RCE bug may hand control to attackers in 2.3.7 and 2.4.2-p1
• 2021-05-11: XSS bug in 2.3.6-p1, 2.4.1-p1, 2.4.2
• 2021-02-11: RCE bugs in 2.3.6, 2.4.0-p1 and 2.4.1
• 2019-10-08: RCE/XSS bugs in 2.2.10, 2.3.2-p1 and 2.3.3
• 2019-06-25: XSS bug may leak admin access in 2.3.2, 2.2.9 and 2.1.8
• 2019-03-26: Critical RCE bug leaks admin access in 2.1.17, 2.2.8 and 2.3.1

More information

• Adobe security bulletins for Magento & Adobe Commerce
• Adobe software lifecycle policy

Troubleshooting

Installed all relevant patches and eComscan still reports an issue?

• In some cases, the old (vulnerable) code is cached and still active, so you should ensure to flush all your caches.
• In some cases, your account contains multiple installations (perhaps by accident) and not all of them have been upgraded.