Magento announced a patch for a Magento Enterprise Security Vulnerability as many industry blogs published. Magento has informed all it’s Magento Enterprise customers about the security hole, but Magento has not posted anything on their blog.
Magento has already a security patch reach for its Magento Enterprise Edition clients, which can be access on the account section on the Magento website under Support Patches. This security vulnerability affects all Magento versions prior to the just recently patched version 18.104.22.168 (every version from 22.214.171.124 through 126.96.36.199).
What does this Magento Enterprise Security Vulnerability mean to you?
The vulnerability is limited to Magento Enterprise only, and only to users who have administrative privileges. So you can take a deep breath as this Magento Enterprise Security Vulnerability won’t expose you to the rest of the world. However, if you have a poor admin user rights management, such as multiple users sharing the same log-in account and you may want to change this. Read more about proper Magento administrator user rights management in this follow up post.
What Damages could you be exposed to by this Magento Enterprise Security Issue?
A user with an administrator access to your Magento Enterprise store exploiting this issue could delete files and folders from your Magento installation. Should you drop everything and apply this patch? Not necessarily, many merchants should be in code freeze for the holidays season and you may be fine riding it out until January with your current code base.
You should tighten your admin access rights management no matter what. If you have past employees who still have access to your Magento admin panel, you should remove them.
This Enterprise Security Vulnerability does not affect Magento Community Edition
This vulnerability is limited to the Magento Enterprise edition only and does not affect the Magneto Community Edition. Magento Enterprise provides a great number of additional functionality with considerable more code
Please contact us for help with applying this Magento Enterprise security patch or help with your other Magento security concerns. An easy way to address all your security and performance concerns is with the proprietary Magento Health Check.
Please post any questions as comments here and our staff will help you get answers fast. Please keep questions around potential security risks private and use the “get it touch with us” form.