We updated all of our stores to 188.8.131.52 the day it came out. This caused lots of headaches when APIs broke, but we got everything stabilized.
We're thinking about waiting to update to 184.108.40.206, assuming that it only fixes some issues that we've already remedied in other ways, but I wanted to make sure that there aren't any critical security updates in there that will leave us vulnerable.
Does 220.127.116.11 only fix these things that 18.104.22.168 broke, or does it also contain new security updates that 22.214.171.124 did not?
Side note: The release notes mention that 126.96.36.199 "Prevented a potential Cross-Site Request Forgery (CSRF) vulnerability by changing the form key when a customer signs out of the storefront." but they don't specifically mention "Security Enhancements" (like 188.8.131.52 did).
Hi @Eric Seastrand,
I guess that you are talking about something taht was discussed yesterday at the Slack channel. Piotr Kaminski (from Magento) said:
so the XSS thing is an additional case we've seen after 8788/184.108.40.206 given that it requires admin access and is not obvious to trigger, it doesn't really require a separate patch in our opinion. There are worse things you can do if you have admin access.
That change was made only for EE versión, into the module CatalogEvent.
Is this useful?