AFFECTED VERSIONS

• Magento Commerce < 1.14.4.1
• Magento Open Source < 1.9.4.1
• Magento < 2.1.17
• Magento < 2.2.8
• Magento < 2.3.1

For Magento 2.x.x

Magento Commerce and Open Source 2.3.1, 2.2.8 and 2.1.17 contain multiple security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.

NOTE: A SQL injection vulnerability has been identified in pre-2.3.1 Magento code. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.

NOTE: Cloud customers can upgrade ECE-Tools to version 2002.0.17 to get this vulnerability in core application patched automatically. Infrastructure team added measures to block any currently known ways to exploit the vulnerability by adding additional WAF rules, which are deployed globally. Even though we have blocked known ways to exploit vulnerability, we strongly recommend to either upgrade ECE-Tools or apply the patch through m2-hotfixes.

For Magento 1.x.x

SUPEE-11086, Magento Commerce 1.14.4.1 and Open Source 1.9.4.1 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Information on all the changes in 1.14.4.1 and 1.9.4.1 releases is available in the Magento Commerce and Magento Open Source release notes.

Patches and upgrades are available for the following Magento versions:

• Magento Commerce 1.9.0.0-1.14.4.0: SUPEE-11086 or upgrade to Magento Commerce 1.14.4.1.
• Magento Open Source 1.5.0.0-1.9.4.0: SUPEE-11086 or upgrade to Magento Open Source 1.9.4.1.

If you would like us to install the patches or upgrade to the latest version, please contact us: