Magento Commerce and Open Source 2.2.5 and 2.1.14 contain multiple security enhancements that help close authenticated Admin user remote code execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities. Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.2.5.
As always, install the patch in a development environment and test before applying it to your live site. Please refer to Security Best Practices for additional information how to secure your site.
For your convenience, we have quoted some of the announcement from Magento’s Forum down below. If you need any assistance with security patch updates, please send an email to: email@example.com or contact your Account Manager at eBoundHost. Visit the official Magento site for more details:
APPSEC-2014: Authenticated Remote Code Execution (RCE) through the Magento admin panel (swatches module)APPSEC-2054: Remote Code Execution (RCE) via product import
APPSEC-2042: PHP Object Injection and RCE in the Magento 2 EE admin panel (Commerce Target Rule module)
APPSEC-2055: PHP Object Injection and RCE in the Magento 2 Commerce admin panel (Schedule Import/Export Configuration)
APPSEC-2048: SQL Injection through API
APPSEC-2025: Arbitrary File Delete via Product Image
APPSEC-2044: Cross-Site Scripting (XSS) through B2B quote
APPSEC-2026: Authenticated Remote Code Execution (RCE) through the Magento admin panel (currency configuration)
APPSEC-2070: Directory Traversal in Product Import
APPSEC-2062: Remote Code Execution (RCE) through dev tools
APPSEC-2027: PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce)
APPSEC-2010: Cross-Site Request Forgery + Frontend Stored XSS (Design Configuration)
APPSEC-2030: Cross-Site Scripting (XSS) through the Admin Username in the CMS Revision Editor (Commerce only)
APPSEC-1716: X-Frame-Options missing from templates
APPSEC-1993: IP Spoofing
Cost, technical support and promptness of return calls are of paramount importance to me since most of my work is done on the road and waiting for a reply is frustrating. eBoundHost has been a pleasure to work with friendly, courteous and professional.
eBoundHost provides the very best service I've experienced in hosting. It takes less than 24h to get an answer to any question. They're great.
Every time I have contacted my host provider. They have responded with speed, courtesy and accuracy they are professional and a joy to work with.
Fast, reliable, full of features... Over the years, I have used more than a dozen hosts, both the big ones and smaller ones; eBoundHost.com is by far my favorite.
eBoundHost is really the best hosting service in today's marketplace. Fast and efficient customer service with excellent IT knowledge. Good price and many bundled extra options. Highly recommended!
SUPER SUPPORT - even during "off hours" - Sundays & holidays. Responses have always been within minutes of the initial call or email. The BEST vendor I have ever used in my 10 plus years as a webhosting services consumer.
I'm Stan Bogdashin, a customer of your hosting company for the past 2 years. Our company provides web design, development and Search Engine Optimization (SEO) services. Want to thank you for helping us by providing great hosting seamless support - this is why I continue to recommend you and don't use anyone else for hosting!
EXCELLENT across the board, super quick reply to questions (about 15-30min). Outstanding! Loads of features, excellent price! Loads of space and bandwidth!
I have been a customer since December of 2001, and the service has been nothing less than excellent. I would recommend eBoundHost highly.
Every time I call with a problem or question, Everyone, especially Denis has always stepped up to the occasion. As usual he solved yet another problem I had. You have a superlative customer service. It doesn't get any better. Keep it up guys.
From using your hosting services for dozens of web clients and appreciating your wonderful customer service (all the while enjoying spending my meaty affiliate checks), I look forward to growing with you and watching you evolve surely and steadily into a powerhouse of a force to be reckoned with for your competitors. In an overcrowded abyss of hosting providers it is an absolute MUST to stand out above the crowd if you want to claim your stake and play with the big boys. Period. All I can say is this...Look Out World - GAME ON!!!
I have worked with many hosting companies over the course of my years in the website building and design business. I can say with certainty that eBoundHost.com is among the elite companies. I would and have recommended them to anyone.
eBoundHost is the best. I have dealt with many hosting providers over the last 10 years. eBoundHost surpasses them all. Absolutely the highest level of quality service anywhere. Do yourself a big favor and sign on with eBoundHost.
I was just looking over our emails and adding up how much time you guys have taken to get me squared away with my new eboundhost account. I can't tell you what a relief it is to have fast, dependable hosting and the kind of immediate support I've gotten from you, after having struggled with a sub-standard host for years. eboundhost has, in the short time I've been with you, already saved me hundreds of dollars of billable time. My thanks.
Reliability and customer service that is rare and refreshing. We have been using eBoundHost for several years and unlike many companies who's service wanes over the years, the staff at eBound has consistently delivered top notch performance. Bravo!
I waited to write a review until I had absolutely everything working, thinking that something would come up that eboundhost couldn't solve almost immediately. I've never been so happy to be wrong - their customer support is just incredible.
We at Alico have 4 domain names which we started subscribing at eBoundHost since more than 4 years. In brief they are the best webhosting provider with a sexy Control Panel and perfect fast response support.