Magento Commerce and Open Source 2.3.2, 2.2.9 and 2.1.18 contain 75 security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities. These enhancements are described in three related blog posts — the post you’re currently reading plus these two separate posts, which you can find here: Part 2 and Part 3.
Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.3.2.
Please refer to Security Best Practices for additional information how to secure your site.
The Magento 2.1.18 software release marks the final supported software release for Magento version 2.1.x. As of June 30 2019, Magento 2.1.x will no longer receive security updates or product quality fixes now that its support window has expired.
To download the releases, choose from the following options:
Partners:
Magento is making Content Security Policy available for Magento Open Source and Commerce v2.3.5-p1. The release of Magento 2.3.5-p1 marks the first phase of our implementation and makes CSP available in report-only mode by default. Magento Open Source delivers features to build and grow a unique online store from the ground up. However, if you need an all-in-one cloud solution that is optimized, easy to deploy, provides enhanced security, and is packed with additional integrated capabilities to accelerate sales; consider Magento.
Dec 10, 2019 Recently, the Magento Marketplace was acquired by Adobe and suffered a breach that exposed a limited amount of user data to an unknown third party. When Adobe discovered evidence of the breach, they temporarily shut the marketplace down so they could assess the extent of the breach. Magento-cloud-patches All Submissions you make to Magento Inc. (“Magento') through GitHub are subject to the following terms and conditions: (1) You grant Magento a perpetual, worldwide, non-exclusive, no charge, royalty free, irrevocable license under your applicable copyrights and patents to reproduce, prepare derivative works of, display, publically perform, subli. The sticky post by Sherrie on this forum says to log into your account and download the patch, but again, there is no way to get from the My Account page to the downloads. I had to Google for 'how to download Magento' in order to find the Tech Resources - Download page.
Magento Commerce 2.3.2 (New .zip file installations) | Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.2 |
Magento Commerce 2.2.9 (New .zip file installations) | Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.9 |
Magento Commerce 2.1.18 (New .zip file installations) | Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.18 |
Magento Commerce 2.3.2, 2.2.9 and 2.1.18 (New composer installations) | |
Magento Commerce 2.3.2, 2.2.9 and 2.1.18 (Composer upgrades) |
Magento Commerce:
Magento Commerce 2.3.2 (New .zip file installations) | My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.2 |
Magento Commerce 2.2.9 (New .zip file installations) | My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.9 |
Magento Commerce 2.1.18 (New .zip file installations) | My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.18 |
Magento Commerce 2.3.2, 2.2.9 and 2.1.18 (New composer installations) | |
Magento Commerce 2.3.2, 2.2.9 and 2.1.18 (Composer upgrades) |
Magento Open Source:
Magento Open Source 2.3.2, 2.2.9 and 2.1.18 (New .zip file installations) | Magento Open Source Download Page > Download Tab |
Magento Open Source 2.3.2, 2.2.9 and 2.1.18 (New composer installations) | |
Magento Open Source 2.3.2, 2.2.9 and 2.1.18 (Composer upgrades) | |
Magento Open Source 2.3.2, 2.2.9 and 2.1.18 (Developers contributing to the Open Source code base) |
| PRODSECBUG-2233: Stored cross-site scripting in the admin panel - CVE-2019-7877 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 9.6 |
| Known Attacks: | None (exploit details are available publicly) |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. In some configurations, the issue could be exploited by an unauthenticated user using the store front. NOTE: Patch for this issue is available also for earlier versions of Magento - more details here. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Simon Scannell |
| PRODSECBUG-2296: Arbitrary code execution through design layout update - CVE-2019-7895 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges can execute arbitrary code through a crafted XML layout update. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Blaklis |
| PRODSECBUG-2298: Arbitrary code execution through product imports and design layout update - CVE-2019-7896 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges can execute arbitrary code through combination of product import via crafted csv file and XML layout update. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Edgar Boda-Majer |
| PRODSECBUG-2349: Arbitrary code execution via file upload in admin import feature - CVE-2019-7930 | |
|---|---|
| Type: | File Problems: Unsafe File Upload |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges to the import feature can execute arbitrary code by uploading a malicious csv file. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | sambecks |
| PRODSECBUG-2202: Security bypass via form data injection - CVE-2019-7871 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | none |
| Description: | An authenticated user can inject form data and bypass security protections that prevent arbitrary PHP script upload. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2375: Arbitrary code execution via malicious XML layouts - CVE-2019-7942 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges can execute arbitrary code when creating a product via malicious XML layouts. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Charles Fol |
| PRODSECBUG-2306: Remote code execution through crafted email templates - CVE-2019-7903 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.0 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges can execute arbitrary code through crafted email template code when previewing the template. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Karim El Ouerghemmi |
| PRODSECBUG-2351: Arbitrary code execution via crafted sitemap creation - CVE-2019-7932 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.0 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges to create sitemaps can execute arbitrary code by crafted filenames that include php extension within the XML filename. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Simon Scannell |
| PRODSECBUG-2266: Arbitrary code execution through malicious elastic search module configuration - CVE-2019-7885 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.0 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to configure the catalog search can execute arbitrary code through malicious configuration of the Elastic search module. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Simon Scannell |
| PRODSECBUG-2429: Insecure object reference via customer REST API - CVE-2019-7950 | |
|---|---|
| Type: | General: Information Leakage |
| CVSSv3 Severity: | 8.8 |
| Known Attacks: | none |
| Description: | Unauthenticated users can pass arbitrary values for company attributes parmeters via POST and PUT action and assign themselves to arbitray company effectively gaining access to company's confidental information. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2307: Insufficient enforcement of user access controls can lead to unauthorized environment configuration changes - CVE-2019-7904 | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Broken Authentication and Session Management |
| CVSSv3 Severity: | 8.5 |
| Known Attacks: | none |
| Description: | Insufficient enforcement of user access controls can be abused by a low-privileged user to make unauthorized environment configuration changes, such as removing security controls. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Edgar Boda-Majer |
| PRODSECBUG-2198: SQL Injection due to a flaw in MySQL adapter - CVE-2019-7139 | |
|---|---|
| Type: | General: SQL Injection (Blind Read) |
| CVSSv3 Severity: | 8.2 |
| Known Attacks: | none |
| Description: | An unauthenticated user in Magento 2.x, or an authenticated user in Magento 1.x, can execute SQL statements that allow arbitrary read access to the underlying database. Note: this issue was addressed in previous patches 2.2.8 and 2.3.1 and also in separately released patches PRODSECBUG-2198. In this release, it adds a fix for version 2.1.x. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18 |
| Fixed In: | Magento 2.1.18 |
| Reporter: | Charles Fol |
| PRODSECBUG-2347: Insufficient brute-forcing defenses in the token exchange protocol could be abused in carding attacks - CVE-2019-7928 | |
|---|---|
| Type: | Others: Denial of Service |
| CVSSv3 Severity: | 8.2 |
| Known Attacks: | Reported |
| Description: | Insufficient brute-forcing defenses in the token exchange protocol between Magento and payment processors could be abused in carding attacks. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | |
| PRODSECBUG-2285: Arbitrary code execution due to unsafe handling of a carrier gateway - CVE-2019-7892 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.0 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges to access shipment settings can execute arbitrary code through server-side request forgery. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2232: Arbitrary code execution via layout manipulation - CVE-2019-7876 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.0 |
| Known Attacks: | none |
| Description: | An authenticated user with privileges to manipulate layout can execute arbitrary code through crafted custom layout update field. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Peter O'Callaghan |
| PRODSECBUG-2339: Arbitrary code execution due to unsafe handling of a carrier gateway - CVE-2019-7923 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.0 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges to manipulate shipment settings can execute arbitrary code through server-side request forgery |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2322: Arbitrary code execution due to unsafe handling of a shipping gateway - CVE-2019-7913 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 7.9 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges to manipulate shipment methods can execute arbitrary code through server-side request forgery. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2320: Arbitrary code execution due to unsafe handling of system configuration - CVE-2019-7911 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 7.9 |
| Known Attacks: | none |
| Description: | An authenticated user with admin privileges to manipulate system configuration can execute arbitrary code through server-side request forgery. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2430: Security bypass via crafted SOAP requests - CVE-2019-7951 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 7.4 |
| Known Attacks: | none |
| Description: | A SOAP web service endpoint does not properly enforce parameters related to access control list and customer identifications allowing arbitrary customer identification in crafted SOAP requests. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2177: Insufficient server side validations leads to Insecure File upload vulnerability - CVE-2019-7861 | |
|---|---|
| Type: | Others: Security Implementation Flaw |
| CVSSv3 Severity: | 6.5 |
| Known Attacks: | none |
| Description: | An attacker can upload malicious files due to insufficient server side validations. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2325: Denial-of-service by forcing a store to respond with a 404 error - CVE-2019-7915 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 6.5 |
| Known Attacks: | none |
| Description: | An attacker can cause a denial-of-service via a crafted request that results in the Magento store serving a cached 404 error response. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Matti Vapa |
| PRODSECBUG-2208: Insufficient authorization check when adding users to company accounts - CVE-2019-7872 | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Insecure Direct Object Reference |
| CVSSv3 Severity: | 6.0 |
| Known Attacks: | none |
| Description: | Insufficient authorization checks could be abused by a user with admin privileges to add users to company accounts, or modify existing user details. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | craig-gene |
| PRODSECBUG-2222: Deletion of user roles via cross-site request forgery (CSRF) - CVE-2019-7874 | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | none |
| Description: | An attacker can delete user roles within the context of an authenticated administrator's session through cross-site request forgery (CSRF) |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Djordje Marjanovic |
| PRODSECBUG-2346: Stored cross-site scripting in the admin panel - CVE-2019-7927 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2364: Stored cross-site scripting in the admin panel - CVE-2019-7936 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2116: Stored cross-site scripting in the catalog events feature - CVE-2019-8068 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the catalog marketing events form. This could be exploited by an authenticated user with privileges to catalog events to inject malicious javascript. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2182: Reflected cross-site scripting in the admin panel. - CVE-2019-7862 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A reflected cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Magecraze |
| PRODSECBUG-2366: Stored cross-site scripting in the admin panel - CVE-2019-7937 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2275: Unsafe functionality is exposed via email templates manipulation - CVE-2019-7889 | |
|---|---|
| Type: | General: injection |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | An authenticated user with marketing manipulation privileges can invoke methods that alter data of the underlying model followed by corresponding database modifications. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Blaklis |
| PRODSECBUG-2299: Stored cross-site scripting in the admin panel - CVE-2019-7897 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: | A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Karim El Ouerghemmi |
Magento 2.3.2, 2.2.9, and 2.1.18 contain 75 critical security enhancements. These enhancements are described in three related blog posts — the post you’re currently reading plus these two separate posts, which you can find here: Part 2 and Part 3.
Please refer to Security Best Practices for additional information on how to secure your site.
Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.
Need Help Applying the Magento SUPEE-10266 Security Patch?
Magento Download Security Patches West Coast Free Pack
Certified Magento Developers for your Security Updates
Need help applying the most recent Magento security patch – SUPEE-10266?
Our Certified Magento Developers can help you apply the SUPEE-10266 security update to keep your Magento store safe.
The SUPEE-10266 patch addresses over 40 security updates and enhancements that help prevent cross-site request forgery, unauthorized data leaks, and admin remote code execution vulnerabilities. But don’t take our word for it. Our developers know Magento’s 150,000 lines of code inside and out, have been tested directly by Magento and are certified to work on Magento
The Magento SUPEE-10266 security patch also updates the USPS API First-Class naming convention that causes first class shipping options to not appear at checkout.
It is highly recommended that all Magento merchants apply the SUPEE-10266 security update as soon as possible.
Security Shirt Patches
Our developers know Magento’s 150,000 lines of code inside and out, have been tested directly by Magento and are certified to work on Magento Websites. Customer Paradigm currently has 29 Magento 2 Trained Solution Partners. We can help you apply the SUPEE-10266 security patch to your Magento store quickly and seamlessly.
If you need reliable Magento Developers with experience to install your SUPEE-10266 upgrade, try us out!
Contact Customer Paradigm Today for your Magento SUPEE-10266 Update!
Free, No Obligation Consultation About Magento Programming:
Certified Magento Developers:
Our certified Magento Developers have worked on hundreds of eCommerce systems that process tens of thousands of transactions per day. We know the best practices for working on high-volume, live production systems (as well as low-volume Magento systems). Our Magento Developers write bug-free code that works! We have a dedicated team of testers to ensure that the delivered Magento Development works as requested.
U.S. Based
Our Certified Magento Developers are all located in the United States, here in Boulder, Colorado. No overseas outsourcing. We speak English, work during normal U.S. business hours and respond to you quickly.
Low Price for High-Quality Magento Developers
Our prices won’t break your budget for a high standard of customer service. Unlike other web development agencies, we also offer firm quotes for your project, so you know what to expect when you receive your bill.
Direct Access to a Magento Developer
You’ll get the name, email address and direct phone number of your Project Manager and Developer that is in charge of your Magento eCommerce project. Our Project Managers keep you apprised of your project’s budget and progress, and also ensure that your needs as a client are met exactly.
Call us today to get started! 303.473.4400 or visit here for a free consultation >>
Free, No Obligation Consultation About Magento Programming: