-Added October 26, 2020

Affected Magento versions: Magento Commerce and Open Source v2.4.1 / v2.3.6 (on prem and Cloud).

-Added May 20, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added May 04, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added April 29, 2020

This patch resolves an inability to re-send an account confirmation email link from storefront account login page. (This known issue was first identified in Magento 2.3.5.)

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 / v2.3.5-p2 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

-Added March 24, 2020

This patch addresses a lingering issue created by the fix for CVE-2019-8118 (PRODSECBUG-2452) included in Magento 2.3.3 and 2.2.10.

-Added February 12, 2020

This patch resolves the issue which affects orders placed with PayPal Express Checkout where the order’s shipping address specifies a country region that has been manually entered into the text field rather than selected from the drop-down menu on the Shipping page.

Affected Magento versions: Magento Commerce and Open Source v2.3.4 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

This patch resolves issues that users of Magento 2.3.3 experience in deployments where Elasticsearch 6.x is used as the catalog search engine. Users who attempt to navigate past the first page of search results are unsuccessful, and Magento displays an error message. After this patch is installed, users will be able to page through all search results.

Affected Magento versions: Magento Commerce and Open Source v2.3.3 (on Prem and Cloud).

This patch addresses backward compatibility issues that extension developers may have experienced after the introduction of Magento\Framework\Mail\EmailMessageInterface, which was released in Magento 2.3.3. In the scope of this patch, the new EmailMessageInterface inherits from the old MessageInterface, and core modules are changed back to rely on MessageInterface. Merchants should apply this patch as soon as possible, especially if their deployments include extensions or customizations that use the mail interface.

Affected Magento versions: Magento Commerce and Open Source v2.3.3.

See the Magento forum DevBlog post for much more information.

This patch addresses changes that were introduced in Magento 2.3.3 that resulted in problems with extensions and customizations of the product collection feature that rely on method chaining contracts. The addAttributeToFilter method (in file app/code/Magento/Catalog/Model/ResourceModel/Product/Collection.php) was refactored without a return statement, which broke the method-chaining that is used extensively in customizations of this feature. This patch refactors the method to add the missing return statement and ensure that method chaining works.

An unauthenticated cross-site scripting vulnerability combined with an authenticated Phar deserialization vulnerability has left older versions of Magento Commerce and Magento Open Source open to serious exploit. An attacker can use these vulnerabilities to inject JavaScript into the Magento Admin, and subsequently launch malicious code in a store user’s browser. We strongly recommend that all users of the affected versions of Magento download and apply the appropriate patch as soon as possible.

The issue affects the following Magento versions (on prem and cloud):

• Magento Open Source v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce Cloud v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases

This patch resolves an issue with the Async and Bulk APIs, which in certain versions of Magento do not provide the information needed to update or create data for specific stores. Without this patch, the Async/Bulk REST APIs will support the default store view scope only.

Affected Magento versions are: Magento Open Source v2.3.2, 2.3.1

An issue has been discovered in Magento Open Source and Magento Commerce that can be used to disclose the URL location of a Magento Admin panel. While there is currently no reason to believe this issue would lead to a compromise directly, knowing the URL location could make it easier to automate attacks. To help prevent against potential attacks, Magento has released patches for this issue. For complete details, install instructions, and recommendations, see: https://magento.com/security/security-update-potential-vulnerability-magento-admin-url-location

This patch provides a replacement for the deprecated Google Image Charts service that Magento uses for all 2.x instances and replaces it with the Image-Charts free service. Users of Magento 2.x deployments will not be able to view static charts in Magento 2.x instances unless they download and apply this patch. See Switch from deprecated Google Image Charts to Image-Charts for Magento for more information.

This patch provides protection against the SQL injection vulnerability described under PRODSECBUG-2198 here. To quickly protect your store from this vulnerability only, install this patch. However, to apply protection against this vulnerability and others, you must apply the 2.3.1, 2.2.8, or 2.1.17 patch code. We strongly suggest that you install these full patches as soon as you can

This patch updates Authorize.Net Direct Post integration to continue processing payments beyond March 14th 2019 (see MD5 Hash End of Life & Signature Key Replacement). There are additional steps that you need to execute after installing this patch to ensure continued use of Authorize.Net – read more Update Authorize.Net Direct Post from MD5 to SHA-512.

-Added May 20, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added May 04, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added April 29, 2020

This patch resolves an inability to re-send an account confirmation email link from storefront account login page. (This known issue was first identified in Magento 2.3.5.)

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

-Added March 24, 2020

This patch addresses a lingering issue created by the fix for CVE-2019-8118 (PRODSECBUG-2452) included in Magento 2.3.3 and 2.2.10.

-Added February 12, 2020

This patch resolves the issue which affects orders placed with PayPal Express Checkout where the order’s shipping address specifies a country region that has been manually entered into the text field rather than selected from the drop-down menu on the Shipping page.

Affected Magento versions: Magento Commerce and Open Source v2.3.4 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

This patch resolves issues that users of Magento 2.3.3 experience in deployments where Elasticsearch 6.x is used as the catalog search engine. Users who attempt to navigate past the first page of search results are unsuccessful, and Magento displays an error message. After this patch is installed, users will be able to page through all search results.

Affected Magento versions: Magento Commerce and Open Source v2.3.3 (on Prem and Cloud).

This patch addresses backward compatibility issues that extension developers may have experienced after the introduction of Magento\Framework\Mail\EmailMessageInterface, which was released in Magento 2.3.3. In the scope of this patch, the new EmailMessageInterface inherits from the old MessageInterface, and core modules are changed back to rely on MessageInterface. Merchants should apply this patch as soon as possible, especially if their deployments include extensions or customizations that use the mail interface.

Affected Magento versions: Magento Commerce and Open Source v2.3.3.

See the Magento forum DevBlog post for much more information.

This patch addresses changes that were introduced in Magento 2.3.3 that resulted in problems with extensions and customizations of the product collection feature that rely on method chaining contracts. The addAttributeToFilter method (in file app/code/Magento/Catalog/Model/ResourceModel/Product/Collection.php) was refactored without a return statement, which broke the method-chaining that is used extensively in customizations of this feature. This patch refactors the method to add the missing return statement and ensure that method chaining works.

An unauthenticated cross-site scripting vulnerability combined with an authenticated Phar deserialization vulnerability has left older versions of Magento Commerce and Magento Open Source open to serious exploit. An attacker can use these vulnerabilities to inject JavaScript into the Magento Admin, and subsequently launch malicious code in a store user’s browser. We strongly recommend that all users of the affected versions of Magento download and apply the appropriate patch as soon as possible.

The issue affects the following Magento versions (on prem and cloud):

• Magento Open Source v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce Cloud v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases

This patch resolves an issue with the Async and Bulk APIs, which in certain versions of Magento do not provide the information needed to update or create data for specific stores. Without this patch, the Async/Bulk REST APIs will support the default store view scope only.

Affected Magento versions are: Magento Open Source v2.3.2, 2.3.1

An issue has been discovered in Magento Open Source and Magento Commerce that can be used to disclose the URL location of a Magento Admin panel. While there is currently no reason to believe this issue would lead to a compromise directly, knowing the URL location could make it easier to automate attacks. To help prevent against potential attacks, Magento has released patches for this issue. For complete details, install instructions, and recommendations, see: https://magento.com/security/security-update-potential-vulnerability-magento-admin-url-location

This patch provides a replacement for the deprecated Google Image Charts service that Magento uses for all 2.x instances and replaces it with the Image-Charts free service. Users of Magento 2.x deployments will not be able to view static charts in Magento 2.x instances unless they download and apply this patch. See Switch from deprecated Google Image Charts to Image-Charts for Magento for more information.

This patch provides protection against the SQL injection vulnerability described under PRODSECBUG-2198 here. To quickly protect your store from this vulnerability only, install this patch. However, to apply protection against this vulnerability and others, you must apply the 2.3.1, 2.2.8, or 2.1.17 patch code. We strongly suggest that you install these full patches as soon as you can

This patch updates Authorize.Net Direct Post integration to continue processing payments beyond March 14th 2019 (see MD5 Hash End of Life & Signature Key Replacement). There are additional steps that you need to execute after installing this patch to ensure continued use of Authorize.Net – read more Update Authorize.Net Direct Post from MD5 to SHA-512.

-Added May 20, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added May 04, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added April 29, 2020

This patch resolves an inability to re-send an account confirmation email link from storefront account login page. (This known issue was first identified in Magento 2.3.5.)

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

-Added March 24, 2020

This patch addresses a lingering issue created by the fix for CVE-2019-8118 (PRODSECBUG-2452) included in Magento 2.3.3 and 2.2.10.

-Added February 12, 2020

This patch resolves the issue which affects orders placed with PayPal Express Checkout where the order’s shipping address specifies a country region that has been manually entered into the text field rather than selected from the drop-down menu on the Shipping page.

Affected Magento versions: Magento Commerce and Open Source v2.3.4 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

This patch resolves issues that users of Magento 2.3.3 experience in deployments where Elasticsearch 6.x is used as the catalog search engine. Users who attempt to navigate past the first page of search results are unsuccessful, and Magento displays an error message. After this patch is installed, users will be able to page through all search results.

Affected Magento versions: Magento Commerce and Open Source v2.3.3 (on Prem and Cloud).

This patch addresses backward compatibility issues that extension developers may have experienced after the introduction of Magento\Framework\Mail\EmailMessageInterface, which was released in Magento 2.3.3. In the scope of this patch, the new EmailMessageInterface inherits from the old MessageInterface, and core modules are changed back to rely on MessageInterface. Merchants should apply this patch as soon as possible, especially if their deployments include extensions or customizations that use the mail interface.

Affected Magento versions: Magento Commerce and Open Source v2.3.3.

See the Magento forum DevBlog post for much more information.

This patch addresses changes that were introduced in Magento 2.3.3 that resulted in problems with extensions and customizations of the product collection feature that rely on method chaining contracts. The addAttributeToFilter method (in file app/code/Magento/Catalog/Model/ResourceModel/Product/Collection.php) was refactored without a return statement, which broke the method-chaining that is used extensively in customizations of this feature. This patch refactors the method to add the missing return statement and ensure that method chaining works.

An unauthenticated cross-site scripting vulnerability combined with an authenticated Phar deserialization vulnerability has left older versions of Magento Commerce and Magento Open Source open to serious exploit. An attacker can use these vulnerabilities to inject JavaScript into the Magento Admin, and subsequently launch malicious code in a store user’s browser. We strongly recommend that all users of the affected versions of Magento download and apply the appropriate patch as soon as possible.

The issue affects the following Magento versions (on prem and cloud):

• Magento Open Source v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce Cloud v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases

This patch resolves an issue with the Async and Bulk APIs, which in certain versions of Magento do not provide the information needed to update or create data for specific stores. Without this patch, the Async/Bulk REST APIs will support the default store view scope only.

Affected Magento versions are: Magento Open Source v2.3.2, 2.3.1

An issue has been discovered in Magento Open Source and Magento Commerce that can be used to disclose the URL location of a Magento Admin panel. While there is currently no reason to believe this issue would lead to a compromise directly, knowing the URL location could make it easier to automate attacks. To help prevent against potential attacks, Magento has released patches for this issue. For complete details, install instructions, and recommendations, see: https://magento.com/security/security-update-potential-vulnerability-magento-admin-url-location

This patch provides a replacement for the deprecated Google Image Charts service that Magento uses for all 2.x instances and replaces it with the Image-Charts free service. Users of Magento 2.x deployments will not be able to view static charts in Magento 2.x instances unless they download and apply this patch. See Switch from deprecated Google Image Charts to Image-Charts for Magento for more information.

This patch provides protection against the SQL injection vulnerability described under PRODSECBUG-2198 here. To quickly protect your store from this vulnerability only, install this patch. However, to apply protection against this vulnerability and others, you must apply the 2.3.1, 2.2.8, or 2.1.17 patch code. We strongly suggest that you install these full patches as soon as you can

This patch updates Authorize.Net Direct Post integration to continue processing payments beyond March 14th 2019 (see MD5 Hash End of Life & Signature Key Replacement). There are additional steps that you need to execute after installing this patch to ensure continued use of Authorize.Net – read more Update Authorize.Net Direct Post from MD5 to SHA-512.

-Added May 20, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added May 04, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added April 29, 2020

This patch resolves an inability to re-send an account confirmation email link from storefront account login page. (This known issue was first identified in Magento 2.3.5.)

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

-Added March 24, 2020

This patch addresses a lingering issue created by the fix for CVE-2019-8118 (PRODSECBUG-2452) included in Magento 2.3.3 and 2.2.10.

-Added February 12, 2020

This patch resolves the issue which affects orders placed with PayPal Express Checkout where the order’s shipping address specifies a country region that has been manually entered into the text field rather than selected from the drop-down menu on the Shipping page.

Affected Magento versions: Magento Commerce and Open Source v2.3.4 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

This patch resolves issues that users of Magento 2.3.3 experience in deployments where Elasticsearch 6.x is used as the catalog search engine. Users who attempt to navigate past the first page of search results are unsuccessful, and Magento displays an error message. After this patch is installed, users will be able to page through all search results.

Affected Magento versions: Magento Commerce and Open Source v2.3.3 (on Prem and Cloud).

This patch addresses backward compatibility issues that extension developers may have experienced after the introduction of Magento\Framework\Mail\EmailMessageInterface, which was released in Magento 2.3.3. In the scope of this patch, the new EmailMessageInterface inherits from the old MessageInterface, and core modules are changed back to rely on MessageInterface. Merchants should apply this patch as soon as possible, especially if their deployments include extensions or customizations that use the mail interface.

Affected Magento versions: Magento Commerce and Open Source v2.3.3.

See the Magento forum DevBlog post for much more information.

This patch addresses changes that were introduced in Magento 2.3.3 that resulted in problems with extensions and customizations of the product collection feature that rely on method chaining contracts. The addAttributeToFilter method (in file app/code/Magento/Catalog/Model/ResourceModel/Product/Collection.php) was refactored without a return statement, which broke the method-chaining that is used extensively in customizations of this feature. This patch refactors the method to add the missing return statement and ensure that method chaining works.

An unauthenticated cross-site scripting vulnerability combined with an authenticated Phar deserialization vulnerability has left older versions of Magento Commerce and Magento Open Source open to serious exploit. An attacker can use these vulnerabilities to inject JavaScript into the Magento Admin, and subsequently launch malicious code in a store user’s browser. We strongly recommend that all users of the affected versions of Magento download and apply the appropriate patch as soon as possible.

The issue affects the following Magento versions (on prem and cloud):

• Magento Open Source v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce Cloud v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases

This patch resolves an issue with the Async and Bulk APIs, which in certain versions of Magento do not provide the information needed to update or create data for specific stores. Without this patch, the Async/Bulk REST APIs will support the default store view scope only.

Affected Magento versions are: Magento Open Source v2.3.2, 2.3.1

An issue has been discovered in Magento Open Source and Magento Commerce that can be used to disclose the URL location of a Magento Admin panel. While there is currently no reason to believe this issue would lead to a compromise directly, knowing the URL location could make it easier to automate attacks. To help prevent against potential attacks, Magento has released patches for this issue. For complete details, install instructions, and recommendations, see: https://magento.com/security/security-update-potential-vulnerability-magento-admin-url-location

This patch provides a replacement for the deprecated Google Image Charts service that Magento uses for all 2.x instances and replaces it with the Image-Charts free service. Users of Magento 2.x deployments will not be able to view static charts in Magento 2.x instances unless they download and apply this patch. See Switch from deprecated Google Image Charts to Image-Charts for Magento for more information.

This patch provides protection against the SQL injection vulnerability described under PRODSECBUG-2198 here. To quickly protect your store from this vulnerability only, install this patch. However, to apply protection against this vulnerability and others, you must apply the 2.3.1, 2.2.8, or 2.1.17 patch code. We strongly suggest that you install these full patches as soon as you can

This patch updates Authorize.Net Direct Post integration to continue processing payments beyond March 14th 2019 (see MD5 Hash End of Life & Signature Key Replacement). There are additional steps that you need to execute after installing this patch to ensure continued use of Authorize.Net – read more Update Authorize.Net Direct Post from MD5 to SHA-512.

-Added May 20, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added May 04, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added April 29, 2020

This patch resolves an inability to re-send an account confirmation email link from storefront account login page. (This known issue was first identified in Magento 2.3.5.)

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

-Added March 24, 2020

This patch addresses a lingering issue created by the fix for CVE-2019-8118 (PRODSECBUG-2452) included in Magento 2.3.3 and 2.2.10.

-Added February 12, 2020

This patch resolves the issue which affects orders placed with PayPal Express Checkout where the order’s shipping address specifies a country region that has been manually entered into the text field rather than selected from the drop-down menu on the Shipping page.

Affected Magento versions: Magento Commerce and Open Source v2.3.4 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

This patch resolves issues that users of Magento 2.3.3 experience in deployments where Elasticsearch 6.x is used as the catalog search engine. Users who attempt to navigate past the first page of search results are unsuccessful, and Magento displays an error message. After this patch is installed, users will be able to page through all search results.

Affected Magento versions: Magento Commerce and Open Source v2.3.3 (on Prem and Cloud).

This patch addresses backward compatibility issues that extension developers may have experienced after the introduction of Magento\Framework\Mail\EmailMessageInterface, which was released in Magento 2.3.3. In the scope of this patch, the new EmailMessageInterface inherits from the old MessageInterface, and core modules are changed back to rely on MessageInterface. Merchants should apply this patch as soon as possible, especially if their deployments include extensions or customizations that use the mail interface.

Affected Magento versions: Magento Commerce and Open Source v2.3.3.

See the Magento forum DevBlog post for much more information.

This patch addresses changes that were introduced in Magento 2.3.3 that resulted in problems with extensions and customizations of the product collection feature that rely on method chaining contracts. The addAttributeToFilter method (in file app/code/Magento/Catalog/Model/ResourceModel/Product/Collection.php) was refactored without a return statement, which broke the method-chaining that is used extensively in customizations of this feature. This patch refactors the method to add the missing return statement and ensure that method chaining works.

An unauthenticated cross-site scripting vulnerability combined with an authenticated Phar deserialization vulnerability has left older versions of Magento Commerce and Magento Open Source open to serious exploit. An attacker can use these vulnerabilities to inject JavaScript into the Magento Admin, and subsequently launch malicious code in a store user’s browser. We strongly recommend that all users of the affected versions of Magento download and apply the appropriate patch as soon as possible.

The issue affects the following Magento versions (on prem and cloud):

• Magento Open Source v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce Cloud v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases

This patch resolves an issue with the Async and Bulk APIs, which in certain versions of Magento do not provide the information needed to update or create data for specific stores. Without this patch, the Async/Bulk REST APIs will support the default store view scope only.

Affected Magento versions are: Magento Open Source v2.3.2, 2.3.1

An issue has been discovered in Magento Open Source and Magento Commerce that can be used to disclose the URL location of a Magento Admin panel. While there is currently no reason to believe this issue would lead to a compromise directly, knowing the URL location could make it easier to automate attacks. To help prevent against potential attacks, Magento has released patches for this issue. For complete details, install instructions, and recommendations, see: https://magento.com/security/security-update-potential-vulnerability-magento-admin-url-location

This patch provides a replacement for the deprecated Google Image Charts service that Magento uses for all 2.x instances and replaces it with the Image-Charts free service. Users of Magento 2.x deployments will not be able to view static charts in Magento 2.x instances unless they download and apply this patch. See Switch from deprecated Google Image Charts to Image-Charts for Magento for more information.

This patch provides protection against the SQL injection vulnerability described under PRODSECBUG-2198 here. To quickly protect your store from this vulnerability only, install this patch. However, to apply protection against this vulnerability and others, you must apply the 2.3.1, 2.2.8, or 2.1.17 patch code. We strongly suggest that you install these full patches as soon as you can

This patch updates Authorize.Net Direct Post integration to continue processing payments beyond March 14th 2019 (see MD5 Hash End of Life & Signature Key Replacement). There are additional steps that you need to execute after installing this patch to ensure continued use of Authorize.Net – read more Update Authorize.Net Direct Post from MD5 to SHA-512.

-Added May 20, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added May 04, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added April 29, 2020

This patch resolves an inability to re-send an account confirmation email link from storefront account login page. (This known issue was first identified in Magento 2.3.5.)

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

-Added March 24, 2020

This patch addresses a lingering issue created by the fix for CVE-2019-8118 (PRODSECBUG-2452) included in Magento 2.3.3 and 2.2.10.

-Added February 12, 2020

This patch resolves the issue which affects orders placed with PayPal Express Checkout where the order’s shipping address specifies a country region that has been manually entered into the text field rather than selected from the drop-down menu on the Shipping page.

Affected Magento versions: Magento Commerce and Open Source v2.3.4 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

This patch resolves issues that users of Magento 2.3.3 experience in deployments where Elasticsearch 6.x is used as the catalog search engine. Users who attempt to navigate past the first page of search results are unsuccessful, and Magento displays an error message. After this patch is installed, users will be able to page through all search results.

Affected Magento versions: Magento Commerce and Open Source v2.3.3 (on Prem and Cloud).

This patch addresses backward compatibility issues that extension developers may have experienced after the introduction of Magento\Framework\Mail\EmailMessageInterface, which was released in Magento 2.3.3. In the scope of this patch, the new EmailMessageInterface inherits from the old MessageInterface, and core modules are changed back to rely on MessageInterface. Merchants should apply this patch as soon as possible, especially if their deployments include extensions or customizations that use the mail interface.

Affected Magento versions: Magento Commerce and Open Source v2.3.3.

See the Magento forum DevBlog post for much more information.

This patch addresses changes that were introduced in Magento 2.3.3 that resulted in problems with extensions and customizations of the product collection feature that rely on method chaining contracts. The addAttributeToFilter method (in file app/code/Magento/Catalog/Model/ResourceModel/Product/Collection.php) was refactored without a return statement, which broke the method-chaining that is used extensively in customizations of this feature. This patch refactors the method to add the missing return statement and ensure that method chaining works.

An unauthenticated cross-site scripting vulnerability combined with an authenticated Phar deserialization vulnerability has left older versions of Magento Commerce and Magento Open Source open to serious exploit. An attacker can use these vulnerabilities to inject JavaScript into the Magento Admin, and subsequently launch malicious code in a store user’s browser. We strongly recommend that all users of the affected versions of Magento download and apply the appropriate patch as soon as possible.

The issue affects the following Magento versions (on prem and cloud):

• Magento Open Source v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce Cloud v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases

This patch resolves an issue with the Async and Bulk APIs, which in certain versions of Magento do not provide the information needed to update or create data for specific stores. Without this patch, the Async/Bulk REST APIs will support the default store view scope only.

Affected Magento versions are: Magento Open Source v2.3.2, 2.3.1

An issue has been discovered in Magento Open Source and Magento Commerce that can be used to disclose the URL location of a Magento Admin panel. While there is currently no reason to believe this issue would lead to a compromise directly, knowing the URL location could make it easier to automate attacks. To help prevent against potential attacks, Magento has released patches for this issue. For complete details, install instructions, and recommendations, see: https://magento.com/security/security-update-potential-vulnerability-magento-admin-url-location

This patch provides a replacement for the deprecated Google Image Charts service that Magento uses for all 2.x instances and replaces it with the Image-Charts free service. Users of Magento 2.x deployments will not be able to view static charts in Magento 2.x instances unless they download and apply this patch. See Switch from deprecated Google Image Charts to Image-Charts for Magento for more information.

This patch provides protection against the SQL injection vulnerability described under PRODSECBUG-2198 here. To quickly protect your store from this vulnerability only, install this patch. However, to apply protection against this vulnerability and others, you must apply the 2.3.1, 2.2.8, or 2.1.17 patch code. We strongly suggest that you install these full patches as soon as you can

This patch updates Authorize.Net Direct Post integration to continue processing payments beyond March 14th 2019 (see MD5 Hash End of Life & Signature Key Replacement). There are additional steps that you need to execute after installing this patch to ensure continued use of Authorize.Net – read more Update Authorize.Net Direct Post from MD5 to SHA-512.

-Added May 20, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added May 04, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added April 29, 2020

This patch resolves an inability to re-send an account confirmation email link from storefront account login page. (This known issue was first identified in Magento 2.3.5.)

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

-Added March 24, 2020

This patch addresses a lingering issue created by the fix for CVE-2019-8118 (PRODSECBUG-2452) included in Magento 2.3.3 and 2.2.10.

-Added February 12, 2020

This patch resolves the issue which affects orders placed with PayPal Express Checkout where the order’s shipping address specifies a country region that has been manually entered into the text field rather than selected from the drop-down menu on the Shipping page.

Affected Magento versions: Magento Commerce and Open Source v2.3.4 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

This patch resolves issues that users of Magento 2.3.3 experience in deployments where Elasticsearch 6.x is used as the catalog search engine. Users who attempt to navigate past the first page of search results are unsuccessful, and Magento displays an error message. After this patch is installed, users will be able to page through all search results.

Affected Magento versions: Magento Commerce and Open Source v2.3.3 (on Prem and Cloud).

This patch addresses backward compatibility issues that extension developers may have experienced after the introduction of Magento\Framework\Mail\EmailMessageInterface, which was released in Magento 2.3.3. In the scope of this patch, the new EmailMessageInterface inherits from the old MessageInterface, and core modules are changed back to rely on MessageInterface. Merchants should apply this patch as soon as possible, especially if their deployments include extensions or customizations that use the mail interface.

Affected Magento versions: Magento Commerce and Open Source v2.3.3.

See the Magento forum DevBlog post for much more information.

This patch addresses changes that were introduced in Magento 2.3.3 that resulted in problems with extensions and customizations of the product collection feature that rely on method chaining contracts. The addAttributeToFilter method (in file app/code/Magento/Catalog/Model/ResourceModel/Product/Collection.php) was refactored without a return statement, which broke the method-chaining that is used extensively in customizations of this feature. This patch refactors the method to add the missing return statement and ensure that method chaining works.

An unauthenticated cross-site scripting vulnerability combined with an authenticated Phar deserialization vulnerability has left older versions of Magento Commerce and Magento Open Source open to serious exploit. An attacker can use these vulnerabilities to inject JavaScript into the Magento Admin, and subsequently launch malicious code in a store user’s browser. We strongly recommend that all users of the affected versions of Magento download and apply the appropriate patch as soon as possible.

The issue affects the following Magento versions (on prem and cloud):

• Magento Open Source v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce Cloud v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases

This patch resolves an issue with the Async and Bulk APIs, which in certain versions of Magento do not provide the information needed to update or create data for specific stores. Without this patch, the Async/Bulk REST APIs will support the default store view scope only.

Affected Magento versions are: Magento Open Source v2.3.2, 2.3.1

An issue has been discovered in Magento Open Source and Magento Commerce that can be used to disclose the URL location of a Magento Admin panel. While there is currently no reason to believe this issue would lead to a compromise directly, knowing the URL location could make it easier to automate attacks. To help prevent against potential attacks, Magento has released patches for this issue. For complete details, install instructions, and recommendations, see: https://magento.com/security/security-update-potential-vulnerability-magento-admin-url-location

This patch provides a replacement for the deprecated Google Image Charts service that Magento uses for all 2.x instances and replaces it with the Image-Charts free service. Users of Magento 2.x deployments will not be able to view static charts in Magento 2.x instances unless they download and apply this patch. See Switch from deprecated Google Image Charts to Image-Charts for Magento for more information.

This patch provides protection against the SQL injection vulnerability described under PRODSECBUG-2198 here. To quickly protect your store from this vulnerability only, install this patch. However, to apply protection against this vulnerability and others, you must apply the 2.3.1, 2.2.8, or 2.1.17 patch code. We strongly suggest that you install these full patches as soon as you can

This patch updates Authorize.Net Direct Post integration to continue processing payments beyond March 14th 2019 (see MD5 Hash End of Life & Signature Key Replacement). There are additional steps that you need to execute after installing this patch to ensure continued use of Authorize.Net – read more Update Authorize.Net Direct Post from MD5 to SHA-512.

-Added May 20, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added May 04, 2020

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

-Added April 29, 2020

This patch resolves an inability to re-send an account confirmation email link from storefront account login page. (This known issue was first identified in Magento 2.3.5.)

Affected Magento versions: Magento Commerce and Open Source v2.3.5 / v2.3.5-p1 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

-Added March 24, 2020

This patch addresses a lingering issue created by the fix for CVE-2019-8118 (PRODSECBUG-2452) included in Magento 2.3.3 and 2.2.10.

-Added February 12, 2020

This patch resolves the issue which affects orders placed with PayPal Express Checkout where the order’s shipping address specifies a country region that has been manually entered into the text field rather than selected from the drop-down menu on the Shipping page.

Affected Magento versions: Magento Commerce and Open Source v2.3.4 (on prem and cloud).

See Applying patches for specific instructions on downloading and applying Magento patches.

This patch resolves issues that users of Magento 2.3.3 experience in deployments where Elasticsearch 6.x is used as the catalog search engine. Users who attempt to navigate past the first page of search results are unsuccessful, and Magento displays an error message. After this patch is installed, users will be able to page through all search results.

Affected Magento versions: Magento Commerce and Open Source v2.3.3 (on Prem and Cloud).

This patch addresses backward compatibility issues that extension developers may have experienced after the introduction of Magento\Framework\Mail\EmailMessageInterface, which was released in Magento 2.3.3. In the scope of this patch, the new EmailMessageInterface inherits from the old MessageInterface, and core modules are changed back to rely on MessageInterface. Merchants should apply this patch as soon as possible, especially if their deployments include extensions or customizations that use the mail interface.

Affected Magento versions: Magento Commerce and Open Source v2.3.3.

See the Magento forum DevBlog post for much more information.

This patch addresses changes that were introduced in Magento 2.3.3 that resulted in problems with extensions and customizations of the product collection feature that rely on method chaining contracts. The addAttributeToFilter method (in file app/code/Magento/Catalog/Model/ResourceModel/Product/Collection.php) was refactored without a return statement, which broke the method-chaining that is used extensively in customizations of this feature. This patch refactors the method to add the missing return statement and ensure that method chaining works.

An unauthenticated cross-site scripting vulnerability combined with an authenticated Phar deserialization vulnerability has left older versions of Magento Commerce and Magento Open Source open to serious exploit. An attacker can use these vulnerabilities to inject JavaScript into the Magento Admin, and subsequently launch malicious code in a store user’s browser. We strongly recommend that all users of the affected versions of Magento download and apply the appropriate patch as soon as possible.

The issue affects the following Magento versions (on prem and cloud):

• Magento Open Source v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
• Magento Commerce Cloud v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases

This patch resolves an issue with the Async and Bulk APIs, which in certain versions of Magento do not provide the information needed to update or create data for specific stores. Without this patch, the Async/Bulk REST APIs will support the default store view scope only.

Affected Magento versions are: Magento Open Source v2.3.2, 2.3.1

An issue has been discovered in Magento Open Source and Magento Commerce that can be used to disclose the URL location of a Magento Admin panel. While there is currently no reason to believe this issue would lead to a compromise directly, knowing the URL location could make it easier to automate attacks. To help prevent against potential attacks, Magento has released patches for this issue. For complete details, install instructions, and recommendations, see: https://magento.com/security/security-update-potential-vulnerability-magento-admin-url-location

This patch provides a replacement for the deprecated Google Image Charts service that Magento uses for all 2.x instances and replaces it with the Image-Charts free service. Users of Magento 2.x deployments will not be able to view static charts in Magento 2.x instances unless they download and apply this patch. See Switch from deprecated Google Image Charts to Image-Charts for Magento for more information.

This patch provides protection against the SQL injection vulnerability described under PRODSECBUG-2198 here. To quickly protect your store from this vulnerability only, install this patch. However, to apply protection against this vulnerability and others, you must apply the 2.3.1, 2.2.8, or 2.1.17 patch code. We strongly suggest that you install these full patches as soon as you can

This patch updates Authorize.Net Direct Post integration to continue processing payments beyond March 14th 2019 (see MD5 Hash End of Life & Signature Key Replacement). There are additional steps that you need to execute after installing this patch to ensure continued use of Authorize.Net – read more Update Authorize.Net Direct Post from MD5 to SHA-512.