Magento Security News

May 31, 2017

Magento Patch SUPEE 9767 Released

This patch fixes multiple security vulnerabilities. The bulk of which require access to the admin before being exploitable. We are currently evaluating this patch for compatibility and will be adding this functionality to our security patcher.

Full Patch Details

February 1, 2017

A security vulnerability has been found in the following extensions:

  • Cart2Quote - Ophirah_Qquoteadv
  • Ajax Cart Pro - EM_Ajaxcart

Exploits have been found in the wild. Contact each vendor for a patched version.

January 13, 2017

Magento has acknowledged a new potential remote code execution vulnerability in both Magento 1 and 2. This security risk is easily mitigated by changing the follwing setting in the magento admin. The values 'No/Specified' are not vulnerable. Approximately 5% of MAgento stores have this option enabled and are at risk.

  • Magento 1: System-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path
  • Magento 2: Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path

Full exploit details are here:
https://magento.com/security/news/new-zend-framework-1-security-vulnerability

Follow us on twitter @mage_sec for the latest Magento security news. Contribute to the magesec.org website on github magesec/magesec.