November 11, 2019
Magento is committed to delivering security updates to our customers. Because most exploits tend to target software installations that are not up-to-date with the latest security updates, we always strongly recommend that users install security updates as soon as they are available.
Merchants running Magento Commerce 2.3.x should install the latest security update to help protect their stores from potential malicious attacks that could exploit a vulnerability in preview methods. This vulnerability could enable an unauthenticated user to insert a malicious payload into a merchant’s site and execute it, which is why we recommend installing this update.
This issue was addressed in Magento Commerce 2.3.3 and the security-only patch 2.3.2-p2. (See the discussion of CVE-2019-8144 in Magento 2.3.3 and 2.2.10 Security Update or cve.mitre.org CVE-2019-8144 .
Affected Magento versions
Protect your store
Important: We recommend that all merchants, even those who have already upgraded to 2.3.3 or applied security-only patch 2.3.2-p2, review the security of their Magento site to confirm that it was not potentially compromised before upgrade. Applying this hotfix or upgrading as described in this blog will help defend your store against potential attacks going forward, but will not address the effects of an earlier attack.
We recommend that merchants take the actions described below as soon as possible:
Merchants running Magento 2.3.1—
Please note that editing an email template will not work as expected after the MDVA-22979_EE_2.3.1_v1 patch has been applied. However, this feature still works as expected from the email templates grid.
Merchants running Magento 2.3.2 —
Merchants running unsupported versions of Page Builder, such as Page Builder Beta, should follow the instructions for the version of Magento 2.3.x they are running.
Two patches are available: MDVA-22979_EE_2.3.2_v1 and MDVA-22979_EE_2.3.1_v1. Download the appropriate patch for your deployment from your account on magento.com.
Attention Commerce Cloud customers
To help protect our customers, we have implemented measures designed to help block the exploit of this vulnerability. However, this action will have the side effect of blocking administrators from viewing previews for products, blocks, and dynamic blocks. We will re-enable the preview functionality as soon as possible.