Sansec logo

Magento core vulnerabilities

Sansec

by Team Sansec

Published in Guides

Adobe frequently releases security patches, addressing important vulnerabilities in Magento. Most vulnerabilities are of the "XSS/CSRF" type. These may enable an attacker to intercept administrator sessions. More rarely, "unauthorized RCE/SQLi" bugs are discovered, which are typically more dangerous as they hand full control of your store to a third party.

eComscan will alert when you are running an outdated and vulnerable core installation.

See our secure release/hotfix matrix to determine which patches or upgrades you need.

Sansec strongly recommends to install these security patches as soon as possible. In the past, published vulnerabilities have been massively exploited within days of publication.

An overview of the most recent critical patch releases for Magento 2:

Vulnerabilities in 3rd party plugins/modules

eComscan checks for known weaknesses in installed Magento modules. Read more here.

Vulnerabilities in 3rd party libraries

Sometimes vulnerabilities are found in libraries that Magento depends on, for example guzzlehttp/psr7. If the library authors provide a fixed version, you can upgrade your local installation by running (for example):

composer require 'guzzlehttp/psr7:*'

Make sure to commit your Composer.lock to your version control system afterwards.

More information

Troubleshooting

Installed all relevant patches and eComscan still reports an issue?

  • In some cases, the old (vulnerable) code is cached and still active, so you should ensure to flush all your caches.
  • In some cases, your account contains multiple installations (perhaps by accident) and not all of them have been upgraded.
Need expert advice? We are here to help!

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

Terms & Conditions
|
Privacy & Cookie Policy
Company Reg 77165187
|
Tax NL860920306B01