The scanner is reporting this now:
SUPEE-11219 - Failed.
Weak password requirements found (PRODSECBUG-2331)
But I applied SUPEE-11219" successfully already.
And PRODSECBUG-2331 does not belong to "SUPEE-11219" but to "SUPEE-11155":
But I also applied "SUPEE-11155" successfully.
Does anybody else have that issue?
I am having the same issue since yesterday's scan. Both SUPEE-11155 and SUPEE-11219 were installed on our site successfully and the scan report says they are both needed/not installed yet.
Magento ver. 220.127.116.11
Same here since security scan on 25/10/2019 on ver. 18.104.22.168. Magereport says only SUPEE 11155. Did found that indeed new customer account was allowing insecure passwords. Code for the WYSIWYG editor seems ok but since security scan says otherwise I am looking into it.
How can I check for insecure passwords? What exactly is an insecure password that the patch prevents?
I configured at least 7 characters for a password in the backend and thought that prevents any insecure passwords.
Does that mean that the patch does not actually fix that issue and their own check fails as a result of that now?
I did a scan via https://www.magereport.com and it says that 11219 and 11155 are installed.
Regarding SUPEE-11155 after seeing what changes it makes I found that in js/Mage/Adminhtml/Wysiwyg/tiny_mce/setup.js in line 369 was missing media_disable_flash:this.config.media_disable_flash, which I added. Run Magereport and voila No Risks! I am now waiting (takes forever) for a Security Scan.
Note that for the last year or more I do not patch my store I update the version
I hope my finding will help. For any other update on a scan I will inform.
My setup.js file has "media_disable_flash : this.config.media_disable_flash," and the daily scan still is reporting both SUPEE-11219 and SUPEE-11155 are not installed and yet I verified they both are installed.
I checked the file and I already have the line:
"media_disable_flash : this.config.media_disable_flash,"
So that can't be it.
Maybe I also have to install the full version and not the patch file. Could be worth a try.
I'm experiencing the same problem with all four of the Magento 1 installations I manage. I have also done a full version update, which does not resolve the problem.
An insecure password is the one that contains numbers or/letters. For example 123ABC is an insecure password (one that can break using brute force attack). A secure password must contain both uppercase and lowercase letters, numbers (and not 111 or 222) and a special character at least. So for example "Av975!@" is 7 characters long but appears strong in any meter. The longer the password the better. A "validate.php" process keeps in check the input.
Okay, so Full Version does not fix it either. That's really weird. That means probably everybody has that security warning now.
Maybe because Magento checks for a weak password that they didn't even prevent/fix with a patch.