Hello @hoanghoang_hoan ,

You can use https://github.com/philwinkle/Philwinkle_AppliedPatches to see a list of applied patches. If you don't want to install an extension you can check the app/etc/applied.patches.list file. Check the module's source for more info.

Be careful with this file. This file isn't the current status of the patch files, but only an information that it was applied in the past.

This means:

• Applying the patch and not commiting the file means no (or old) file and applied patches
• Not commiting the patched files, but the applied.patches.list file means misinformation!

--
If my answer is useful, please Accept as Solution & give Kudos

@hoanghoang_hoanHey,

Magento scanner many of times give you false positive as well as they have strict scanning criteria which Magereport does not have. As you said you already have applied the patch and your shop must be patched.

My recommendation would be to send an email to Magento security scanner team to confirm if your website really has an issue. They can manually review your site and confirm if there is an issue with the Patch or scanner is giving you false result.

Email address to send your query would be: securityscan@magento.com

Do send your website URL for them to have a look for the issue.

Problem solved? Please give 'Kudos' and accept 'Answer as Solution'.