Magento Updates 2.2.3, 2.1.12, 2.0.18, 1.9.3.8

·

·

Magento 2.2.3

Magento 2.2.3 was released on February 27 and includes 38 security fixes, 35 enhancements for example against Admin user remote code execution, unauthorized data leaks, and cross-site request forgery (CSRF) vulnerabilities. Also, the Magento Admin will support the upcoming USPS shipping changes and the copyright was updated for 2018. This update brings additionally support for Elasticsearch 5.x and an improved control for the cache management tasks through the Magento Admin.
Because the update closes a large number of vulnerabilities, it is recommended to install the update as soon as possible.

Top 10 security fixes of this update (also called patch SUPEE-10570):

  • APPSEC-1951: JavaScript execution in the administrator panel
  • APPSEC-1952: Remote Code Execution using media upload
  • APPSEC-1865: Cross-Site Scripting in customer information
  • APPSEC-1907: Cross-site Scripting in Customer Address
  • APPSEC-1935: Cross-site Scripting leading to Denial-of-Service
  • APPSEC-1977: Common Server Misconfiguration causes data leak
  • APPSEC-1901: Local file inclusion in customer view
  • APPSEC-1944: CSRF in Store Backups
  • APPSEC-1986: Local file inclusion in import history
  • APPSEC-1929: Path Traversal in Image Upload

 

Magento 2.1.12, 2.0.18 and 1.9.3.8

The latest Magento updates for Magento 1.9, 2.0 and 2.1 were released on February 27 and contain the same 38 security fixes as well as enhancements to improve the security. Like the update for Magento 2.2.3, they come also with the change for the upcoming USPS shipping changes and the copyright update.
For Magento 2.0 it is the last update, therefore it’s recommended to update to Magento 2.1 or 2.2 in the near future.

The official information of the security fixes are on the Magento Tech Resources.

Remember to create backups before updating to prevent data loss.

(Beitragsbild von peshkova)