Magento is a leading open-source e-commerce platform written in PHP, it was introduced in 2008, Magento has a 1.9% percentage share of the CMS market.
Magento released security patches for version 2.3.3, 2.3.2-p1 and 2.2.10 that contains several vulnerabilities that could be exploited by the attackers.
The vulnerability that exists in these versions may allow an unauthenticated user to insert a malicious payload through PageBuilder template methods.
Affected Magento Versions
Magento Commerce 2.3.1, Magento Commerce 2.3.2 (deployments that have not had security-only patch 2.3.2-p2 installed) Unsupported versions of Page Builder, such as Page Builder Beta.
Magento said that “The Magento 2.2.10 software release marks the final supported software release for Magento version 2.1.x. As of June 30, 2019, Magento 2.1.x will no longer receive security updates or product quality fixes now that its support window has expired.”
Users who updated for 2.3.3 or applied security-only patch 2.3.2-p2 are recommended to check the security of Magento to see it was not compromised.
Magento urges the user to apply the described patches as soon as possible.
Users running Magento 2.3.1
Install the MDVA-22979_EE_2.3.1_v1 patch now, and then schedule your upgrade to 2.3.3 or 2.3.2-p2 as soon as possible.
Review your site and your server for signs of potential compromise
Users running Magento 2.3.2
Install the MDVA-22979_EE_2.3.2_v1 patch now, then schedule your upgrade to 2.3.3 or 2.3.2-p2 as soon as possible.
Review your site and your server for signs of potential compromise.
Here you can find the best practices to secure your Magento websites.