Magento is committed to delivering security updates to our customers. Because most exploits tend to target software installations that are not up-to-date with the latest security updates, we always strongly recommend that users install security updates as soon as they are available.
Merchants running Magento Commerce 2.3.x should install the latest security update to help protect their stores from potential malicious attacks that could exploit a vulnerability in preview methods. This vulnerability could enable an unauthenticated user to insert a malicious payload into a merchant’s site and execute it, which is why we recommend installing this update.
This issue was addressed in Magento Commerce 2.3.3 and the security-only patch 2.3.2-p2. (See the discussion of CVE-2019-8144 in Magento 2.3.3 and 2.2.10 Security Update or cve.mitre.org CVE-2019-8144 .
Affected Magento versions
- Magento Commerce 2.3.1
- Magento Commerce 2.3.2 (deployments that have not had security-only patch 2.3.2-p2 installed)
- Unsupported versions of Page Builder, such as Page Builder Beta
Protect your store
Important: We recommend that all merchants, even those who have already upgraded to 2.3.3 or applied security-only patch 2.3.2-p2, review the security of their Magento site to confirm that it was not potentially compromised before upgrade. Applying this hot fix or upgrading as described in this blog will help defend your store against potential attacks going forward, but will not address the effects of an earlier attack.
Recommended action
We recommend that merchants take the actions described below as soon as possible:
Merchants running Magento 2.3.1—
- Install the MDVA-22979_EE_2.3.1_v1 patch now, and then schedule your upgrade to 2.3.3 or 2.3.2-p2 as soon as possible.
- Review your site and your server for signs of potential compromise.
Please note that editing an email template will not work as expected after the MDVA-22979_EE_2.3.1_v1 patch has been applied. However, this feature still works as expected from the email templates grid.
Merchants running Magento 2.3.2 —
- Install MDVA-22979_EE_2.3.2_v1 patch now, then schedule your upgrade to 2.3.3 or 2.3.2-p2 as soon as possible.
- Review your site and your server for signs of potential compromise.
Merchants running unsupported versions of Page Builder, such as Page Builder Beta, should upgrade to 2.3.3 or 2.3.2-p2 as soon as possible.
Patch information
Two patches are available: MDVA-22979_EE_2.3.2_v1 and MDVA-22979_EE_2.3.1_v1. Download the appropriate patch for your deployment from your account on magento.com.
Attention Commerce Cloud customers
To help protect our customers, we have implemented measures designed to help block the exploit of this vulnerability. However, one side effect of blocking this exploit is that some Page Builder features might not work correctly. The preview feature is affected, and when correctly saving a page, Magento might display an error. We will re-enable the preview functionality as soon as possible.
Note: On November 14, 2019, we released an updated version of ECE Tools 2002.0.22. This version automatically applies a patch for this issue when you redeploy and are running a vulnerable version of Magento. We urge everyone to upgrade to this version of ECE Tools and redeploy.
