Security Update for Potential Vulnerability in Magento Admin URL location
May 10, 2019
An issue has been discovered in Magento Open Source and Magento Commerce that can be used to disclose the URL location of a Magento Admin panel. While there is currently no reason to believe this issue would lead to compromise directly, knowing the URL location could make it easier to automate attacks.
We are aware of similar attacks using these methods. To best protect your store, Magento has released patches and recommends additional security steps to protect your store.
Affected versions
This issue affects Magento Open Source and Magento Commerce (on-premise and cloud) for 2.1.x, 2.2.x, and 2.3.x. Magento 1 merchants are not affected.
Install the patch
To help prevent against potential attacks associated with these types of issues, update your Magento installations with a new patch. For complete details and instructions, see KB Magento Admin URL location disclosed.
Protect your store
To help prevent against potential attacks associated with these types of issues, Magento strongly recommends that merchants deploy tools to secure their admin panel, including two-factor authentication, VPN, IP whitelisting and more.
For detailed information, see the following blogs and documentation:
-
Protect Your Magento Installation Password Guessing New Update
-
Adding and Configuring Two-Factor Authentication in Magento for 2.1.x, 2.2.x, and 2.3.x