Magento has released security updates for all supported versions of Magento. These include the release of the SUPEE-11086 patch for Magento 1, alongside incremental version upgrades for Magento 1 & 2, which include:
– Magento Community Edition (Open Source) 18.104.22.168
– Magento Enterprise Edition (Commerce) 22.214.171.124
– Magento Open Source (CE) and Commerce (EE) 2.1.17
– Magento Open Source (CE) and Commerce (EE) 2.2.8
These security updates patch specific instances of several types of vulnerabilities such as:
– Cross-site scripting
– Both arbitrary and remote code execution
– Sensitive data disclosure
– SQL injections
– Cross-site request forgery
– Data manipulation due to improper validation
– Admin credentials being logged in exception reports
– Unauthorized access to order lists
At this time, Magento is not aware of any of these security holes being exploited; however, these vulnerabilities are now known. It’s important to update your sites as soon as possible.
Other recent updates include a Magento patch for Authorize.net SHA-512.
Whether patching or updating your website, please be sure to test your site in a development and/or staging server, prior to pushing out the changes to your live website.
Additionally, if you’re still on Magento 1, Magento 2.1, or 2.2, please be aware that these versions of Magento have known end of life dates when Magento will stop issuing support patches and version updates. It’s recommended that you plan an upgrade to Magento 2.3.x accordingly.