Earlier this month Magento has identified a new vulnerability with a Zend Framework 1 and 2 email component used by all Magento 1 and 2 software. This is considered a serious vulnerability that can lead to remote code execution.
To protect your site, system administrators should immediately do the following:
- Check site mail sending settings used to control the “Reply to” address for your store’s emails.
- For Magento 1 – Go to System > Configuration > Advanced > System > Mail Sending Settings > Set Return-Path
- For Magento 2 – Go to Stores > Configuration > Advanced > System > Mail Sending Settings > Set Return-Path
Should you find that the “Set Return-Path” is set to “Yes” and that your server uses Sendmail, your store is vulnerable to this exploit.
Magento Enterprise Cloud Edition customers do not need to worry about this vulnerability as Magento has already checked and verified your configurations.
For more information on Magento News, Updates, and Security, visit the resources:
- Tech Resources – Magento Security Notice for Zend Framework Vulnerabilities
- Release Notes – Magento Enterprise Edition (EE)
- Release Notes – Magento Community Edition (CE)
Having Trouble Keeping Up With Security Updates?
Forix can help. Get in touch and see how our Magento Managed Support Services can keep your site running and secure.