With Magento version 1 being rendered end-of-life on June 30th, 2020 many merchants migrated to the next incarnation of the Adobe Inc. eCommerce platform, Magento version 2, but a consistent theme which is becoming apparent during investigations is merchant's failing to keep their Magento 2 platform updated (in breach of PCI DSS requirement 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches).
Security vulnerabilities within the Magento 1 platform were rectified by installing security patches without the need to update the underlying platform, hence a merchant could continue to use Magento version 188.8.131.52 (released September 19th, 2018) if all the required patches had been applied (SUPEE-10975, SUPEE-11089 etc). With the advent of Magento version 2 this model no longer applies, and merchants are required to update the underlying platform to integrate all the available security updates i.e., a website currently using Magento version 2.3.2 would need to upgrade to Magento version 2.4.2 to benefit from the latest version of the platform which includes all available security fixes.
This requirement has become more important following the release of a batch of security updates within Magento version 2.4.2, 2.4.1-p1 or 2.3.6-p1 which fix a number of critical flaws including security bypass, stored cross-site scripting (XSS), XML injection, command injection, and ‘File Upload Allow List Bypass’ flaws.
If you require advice or guidance on securing your environment, please contact 3B Data Security.
Magento Commerce and Magento Open Source editions both need patching against a total of 18 CVE-rated vulnerabilities