New Magento Security Updates for SQL Injection Vulnerability
- Magento Commerce < 184.108.40.206
- Magento Open Source < 220.127.116.11
- Magento < 2.1.17
- Magento < 2.2.8
- Magento < 2.3.1
For Magento 2.x.x
Magento Commerce and Open Source 2.3.1, 2.2.8 and 2.1.17 contain multiple security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.
NOTE: A SQL injection vulnerability has been identified in pre-2.3.1 Magento code. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.
NOTE: Cloud customers can upgrade ECE-Tools to version 2002.0.17 to get this vulnerability in core application patched automatically. Infrastructure team added measures to block any currently known ways to exploit the vulnerability by adding additional WAF rules, which are deployed globally. Even though we have blocked known ways to exploit vulnerability, we strongly recommend to either upgrade ECE-Tools or apply the patch through m2-hotfixes.
For Magento 1.x.x
SUPEE-11086, Magento Commerce 18.104.22.168 and Open Source 22.214.171.124 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 126.96.36.199-188.8.131.52: SUPEE-11086 or upgrade to Magento Commerce 184.108.40.206.
- Magento Open Source 220.127.116.11-18.104.22.168: SUPEE-11086 or upgrade to Magento Open Source 22.214.171.124.
If you would like us to install the patches or upgrade to the latest version, please contact us:Contact Us