Magento core vulnerabilities
by Sansec Support
Published in Guides
Adobe frequently releases security patches, addressing important vulnerabilities in Magento. Most vulnerabilities are of the "XSS/CSRF" type. These may enable an attacker to intercept administrator sessions. More rarely, "unauthorized RCE/SQLi" bugs are discovered, which are typically more dangerous as they hand full control of your store to a third party.
eComscan will alert when you are running an outdated and vulnerable core installation.
See our secure release/hotfix matrix to determine which patches or upgrades you need.
Sansec strongly recommends to install these security patches as soon as possible. In the past, published vulnerabilities have been massively exploited within days of publication.
An overview of the most recent critical patch releases for Magento 2:
- 2023-03-15: Private info leak, admin XSS in 2.4.5-p1, 2.4.4-p2
- 2022-10-11: Cross-site Scripting (Stored XSS) in 2.4.5, 2.4.4-p1
- 2022-08-09: XML injection vulnerability in 2.4.3-p2, 2.3.7-p3
- 2022-04-12: Improper Input Validation in 2.4.3-p1, 2.3.7-p2
- 2022-03-21: Improper header parsing in guzzlehttp/psr7
- 2022-02-17: Emergency hotfix for Magento 2 template bug
- 2021-10-13: CSRF bug may leak admin access in 2.4.2-p2, 2.4.3, 2.3.7-p1
- 2021-08-13: RCE bug may hand control to attackers in 2.3.7 and 2.4.2-p1
- 2021-05-11: XSS bug in 2.3.6-p1, 2.4.1-p1, 2.4.2
- 2021-02-11: RCE bugs in 2.3.6, 2.4.0-p1 and 2.4.1
- 2019-10-08: RCE/XSS bugs in 2.2.10, 2.3.2-p1 and 2.3.3
- 2019-06-25: XSS bug may leak admin access in 2.3.2, 2.2.9 and 2.1.8
- 2019-03-26: Critical RCE bug leaks admin access in 2.1.17, 2.2.8 and 2.3.1
Vulnerabilities in 3rd party plugins/modules
eComscan checks for known weaknesses in installed Magento modules. Read more here.
Vulnerabilities in 3rd party libraries
Sometimes vulnerabilities are found in libraries that Magento depends on, for example guzzlehttp/psr7. If the library authors provide a fixed version, you can upgrade your local installation by running (for example):
composer require 'guzzlehttp/psr7:*'
Make sure to commit your Composer.lock to your version control system afterwards.
More information
Troubleshooting
Installed all relevant patches and eComscan still reports an issue?
- In some cases, the old (vulnerable) code is cached and still active, so you should ensure to flush all your caches.
- In some cases, your account contains multiple installations (perhaps by accident) and not all of them have been upgraded.
What is Magecart?
Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?
About Magecart
