Magento Commerce and Open Source 2.3.2, 2.2.9 and 2.1.18 contain 75 security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities. These enhancements are described in three related blog posts — the post you’re currently reading plus these two separate posts, which you can find here: Part 2 and Part 3.
Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.3.2.
Please refer to Security Best Practices for additional information how to secure your site.
The Magento 2.1.18 software release marks the final supported software release for Magento version 2.1.x. As of June 30 2019, Magento 2.1.x will no longer receive security updates or product quality fixes now that its support window has expired.
To download the releases, choose from the following options:
Partners:
|
Magento Commerce 2.3.2 (New .zip file installations) |
Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.2 |
|
Magento Commerce 2.2.9 (New .zip file installations) |
Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.9 |
|
Magento Commerce 2.1.18 (New .zip file installations) |
Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.18 |
|
Magento Commerce 2.3.2, 2.2.9 and 2.1.18 (New composer installations) |
https://devdocs.magento.com/guides/v2.2/install-gde/composer.html |
|
Magento Commerce 2.3.2, 2.2.9 and 2.1.18 (Composer upgrades) |
https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html |
Magento Commerce:
|
Magento Commerce 2.3.2 (New .zip file installations) |
My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.3.2 |
|
Magento Commerce 2.2.9 (New .zip file installations) |
My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.9 |
|
Magento Commerce 2.1.18 (New .zip file installations) |
My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.18 |
|
Magento Commerce 2.3.2, 2.2.9 and 2.1.18 (New composer installations) |
https://devdocs.magento.com/guides/v2.3/install-gde/composer.html |
|
Magento Commerce 2.3.2, 2.2.9 and 2.1.18 (Composer upgrades) |
https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html |
Magento Open Source:
|
Magento Open Source 2.3.2, 2.2.9 and 2.1.18 (New .zip file installations) |
Magento Open Source Download Page > Download Tab |
|
Magento Open Source 2.3.2, 2.2.9 and 2.1.18 (New composer installations) |
https://devdocs.magento.com/guides/v2.3/install-gde/composer.html |
|
Magento Open Source 2.3.2, 2.2.9 and 2.1.18 (Composer upgrades) |
https://devdocs.magento.com/guides/v2.3/comp-mgr/bk-compman-upgrade-guide.html |
|
Magento Open Source 2.3.2, 2.2.9 and 2.1.18 (Developers contributing to the Open Source code base) |
https://devdocs.magento.com/guides/v2.3/install-gde/install/cli/dev_options.html |
| PRODSECBUG-2233: Stored cross-site scripting in the admin panel - CVE-2019-7877 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 9.6 |
| Known Attacks: | None (exploit details are available publicly) |
| Description: |
A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. In some configurations, the issue could be exploited by an unauthenticated user using the store front. NOTE: Patch for this issue is available also for earlier versions of Magento - more details here. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Simon Scannell |
| PRODSECBUG-2296: Arbitrary code execution through design layout update - CVE-2019-7895 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | none |
| Description: |
An authenticated user with admin privileges can execute arbitrary code through a crafted XML layout update. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Blaklis |
| PRODSECBUG-2298: Arbitrary code execution through product imports and design layout update - CVE-2019-7896 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | none |
| Description: |
An authenticated user with admin privileges can execute arbitrary code through combination of product import via crafted csv file and XML layout update. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Edgar Boda-Majer |
| PRODSECBUG-2349: Arbitrary code execution via file upload in admin import feature - CVE-2019-7930 | |
|---|---|
| Type: | File Problems: Unsafe File Upload |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | none |
| Description: |
An authenticated user with admin privileges to the import feature can execute arbitrary code by uploading a malicious csv file. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | sambecks |
| PRODSECBUG-2202: Security bypass via form data injection - CVE-2019-7871 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | none |
| Description: |
An authenticated user can inject form data and bypass security protections that prevent arbitrary PHP script upload. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2375: Arbitrary code execution via malicious XML layouts - CVE-2019-7942 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.1 |
| Known Attacks: | none |
| Description: |
An authenticated user with admin privileges can execute arbitrary code when creating a product via malicious XML layouts. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Charles Fol |
| PRODSECBUG-2306: Remote code execution through crafted email templates - CVE-2019-7903 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.0 |
| Known Attacks: | none |
| Description: |
An authenticated user with admin privileges can execute arbitrary code through crafted email template code when previewing the template. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Karim El Ouerghemmi |
| PRODSECBUG-2351: Arbitrary code execution via crafted sitemap creation - CVE-2019-7932 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.0 |
| Known Attacks: | none |
| Description: |
An authenticated user with admin privileges to create sitemaps can execute arbitrary code by crafted filenames that include php extension within the XML filename. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Simon Scannell |
| PRODSECBUG-2266: Arbitrary code execution through malicious elastic search module configuration - CVE-2019-7885 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 9.0 |
| Known Attacks: | none |
| Description: |
An authenticated user with privileges to configure the catalog search can execute arbitrary code through malicious configuration of the Elastic search module. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Simon Scannell |
| PRODSECBUG-2429: Insecure object reference via customer REST API - CVE-2019-7950 | |
|---|---|
| Type: | General: Information Leakage |
| CVSSv3 Severity: | 8.8 |
| Known Attacks: | none |
| Description: |
Unauthenticated users can pass arbitrary values for company attributes parmeters via POST and PUT action and assign themselves to arbitray company effectively gaining access to company's confidental information. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2307: Insufficient enforcement of user access controls can lead to unauthorized environment configuration changes - CVE-2019-7904 | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Broken Authentication and Session Management |
| CVSSv3 Severity: | 8.5 |
| Known Attacks: | none |
| Description: |
Insufficient enforcement of user access controls can be abused by a low-privileged user to make unauthorized environment configuration changes, such as removing security controls. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Edgar Boda-Majer |
| PRODSECBUG-2198: SQL Injection due to a flaw in MySQL adapter - CVE-2019-7139 | |
|---|---|
| Type: | General: SQL Injection (Blind Read) |
| CVSSv3 Severity: | 8.2 |
| Known Attacks: | none |
| Description: |
An unauthenticated user in Magento 2.x, or an authenticated user in Magento 1.x, can execute SQL statements that allow arbitrary read access to the underlying database. Note: this issue was addressed in previous patches 2.2.8 and 2.3.1 and also in separately released patches PRODSECBUG-2198. In this release, it adds a fix for version 2.1.x. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18 |
| Fixed In: | Magento 2.1.18 |
| Reporter: | Charles Fol |
| PRODSECBUG-2347: Insufficient brute-forcing defenses in the token exchange protocol could be abused in carding attacks - CVE-2019-7928 | |
|---|---|
| Type: | Others: Denial of Service |
| CVSSv3 Severity: | 8.2 |
| Known Attacks: | Reported |
| Description: |
Insufficient brute-forcing defenses in the token exchange protocol between Magento and payment processors could be abused in carding attacks. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | |
| PRODSECBUG-2285: Arbitrary code execution due to unsafe handling of a carrier gateway - CVE-2019-7892 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.0 |
| Known Attacks: | none |
| Description: |
An authenticated user with admin privileges to access shipment settings can execute arbitrary code through server-side request forgery. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2232: Arbitrary code execution via layout manipulation - CVE-2019-7876 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.0 |
| Known Attacks: | none |
| Description: |
An authenticated user with privileges to manipulate layout can execute arbitrary code through crafted custom layout update field. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Peter O'Callaghan |
| PRODSECBUG-2339: Arbitrary code execution due to unsafe handling of a carrier gateway - CVE-2019-7923 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 8.0 |
| Known Attacks: | none |
| Description: |
An authenticated user with admin privileges to manipulate shipment settings can execute arbitrary code through server-side request forgery |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2322: Arbitrary code execution due to unsafe handling of a shipping gateway - CVE-2019-7913 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 7.9 |
| Known Attacks: | none |
| Description: |
An authenticated user with admin privileges to manipulate shipment methods can execute arbitrary code through server-side request forgery. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2320: Arbitrary code execution due to unsafe handling of system configuration - CVE-2019-7911 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 7.9 |
| Known Attacks: | none |
| Description: |
An authenticated user with admin privileges to manipulate system configuration can execute arbitrary code through server-side request forgery. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2430: Security bypass via crafted SOAP requests - CVE-2019-7951 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 7.4 |
| Known Attacks: | none |
| Description: |
A SOAP web service endpoint does not properly enforce parameters related to access control list and customer identifications allowing arbitrary customer identification in crafted SOAP requests. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2177: Insufficient server side validations leads to Insecure File upload vulnerability - CVE-2019-7861 | |
|---|---|
| Type: | Others: Security Implementation Flaw |
| CVSSv3 Severity: | 6.5 |
| Known Attacks: | none |
| Description: |
An attacker can upload malicious files due to insufficient server side validations. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2325: Denial-of-service by forcing a store to respond with a 404 error - CVE-2019-7915 | |
|---|---|
| Type: | General: Remote Code Execution |
| CVSSv3 Severity: | 6.5 |
| Known Attacks: | none |
| Description: |
An attacker can cause a denial-of-service via a crafted request that results in the Magento store serving a cached 404 error response. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Matti Vapa |
| PRODSECBUG-2208: Insufficient authorization check when adding users to company accounts - CVE-2019-7872 | |
|---|---|
| Type: | Privilege Escalation & Enumeration: Insecure Direct Object Reference |
| CVSSv3 Severity: | 6.0 |
| Known Attacks: | none |
| Description: |
Insufficient authorization checks could be abused by a user with admin privileges to add users to company accounts, or modify existing user details. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | craig-gene |
| PRODSECBUG-2222: Deletion of user roles via cross-site request forgery (CSRF) - CVE-2019-7874 | |
|---|---|
| Type: | General: Cross Site Request Forgery |
| CVSSv3 Severity: | 5.8 |
| Known Attacks: | none |
| Description: |
An attacker can delete user roles within the context of an authenticated administrator's session through cross-site request forgery (CSRF) |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Djordje Marjanovic |
| PRODSECBUG-2346: Stored cross-site scripting in the admin panel - CVE-2019-7927 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: |
A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Internal Penetration Testing |
| PRODSECBUG-2364: Stored cross-site scripting in the admin panel - CVE-2019-7936 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: |
A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2116: Stored cross-site scripting in the catalog events feature - CVE-2019-7850 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: |
A stored cross-site scripting vulnerability exists in the catalog marketing events form. This could be exploited by an authenticated user with privileges to catalog events to inject malicious javascript. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2182: Reflected cross-site scripting in the admin panel. - CVE-2019-7862 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: |
A reflected cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Magecraze |
| PRODSECBUG-2366: Stored cross-site scripting in the admin panel - CVE-2019-7937 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: |
A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Max Chadwick |
| PRODSECBUG-2275: Unsafe functionality is exposed via email templates manipulation - CVE-2019-7889 | |
|---|---|
| Type: | General: injection |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: |
An authenticated user with marketing manipulation privileges can invoke methods that alter data of the underlying model followed by corresponding database modifications. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Blaklis |
| PRODSECBUG-2299: Stored cross-site scripting in the admin panel - CVE-2019-7897 |
|---|
| PRODSECBUG-2299: Stored cross-site scripting in the admin panel - CVE-2019-7897 | |
|---|---|
| Type: | General: cross-site scripting |
| CVSSv3 Severity: | 5.5 |
| Known Attacks: | none |
| Description: |
A stored cross-site scripting vulnerability exists in the admin panel. This could be exploited by an authenticated user with privileges to the admin panel to inject malicious javascript. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 |
| Fixed In: | Magento Open Source 1.9.4.2, Magento Commerce 1.14.4.2, SUPEE-11155, Magento 2.1.18, Magento 2.2.9, Magento 2.3.2 |
| Reporter: | Karim El Ouerghemmi |
Magento 2.3.2, 2.2.9, and 2.1.18 contain 75 critical security enhancements. These enhancements are described in three related blog posts — the post you’re currently reading plus these two separate posts, which you can find here: Part 2 and Part 3.
Please refer to Security Best Practices for additional information on how to secure your site.
Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.
