Magento has released a critical patch today.
This will help close 3 major vulnerabilities listed below and more.
RCE stands for ‘Remote Code Execution’ that allows an attacker to access your Magento store, make changes regardless of where you are located.
XSS which stands for ‘Cross-site scripting’ where attackers can place malicious scripts onto secure and trusted websites to visitors of your website.
Lastly, the patch will help close CSRF attacks which stands for ‘Cross-site request forgery’. These attacks trick the user’s browser into performing actions that are set up by the attacker. These actions can include transferring funds or changing of an email address.
These are very serious vulnerabilities and should be patched immediately.
Please contact us for additional questions and review the Magento notes and download details that are listed below.
If you are on Magento 2. Please review the notes here and contact us with additional questions:
SUPEE-11086, Magento Commerce 220.127.116.11 and Open Source 18.104.22.168 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 22.214.171.124-126.96.36.199: SUPEE-11086 or upgrade to Magento Commerce 188.8.131.52.
- Magento Open Source 184.108.40.206-220.127.116.11: SUPEE-11086 or upgrade to Magento Open Source 18.104.22.168.