Magento has released a security advisory in which users are strongly recommended to protect their store against a SQL injection vulnerability called PRODSECBUG-2198. According to the advisory, Magento users should update their website to a patched version as soon as possible to avoid the risk of their websites being infected with malicious code and sensitive data being compromised.
A skimming campaign, resulting in card data being stolen after shoppers have made their purchases, has already affected more than 100 Magento websites worldwide.
To secure your store, we’re requesting users to upgrade to a patched version of Magento by 30 May 2019. (UPDATE: our security campaign has been extended until midnight 30 August 2019, by which date we require all Magento websites to have been cleared of any high risk vulnerabilities according to MageReport.com)
Versions 220.127.116.11 and 1.9 patches are available at this link: https://magento.com/security/patches/supee-11086
Versions 2.1.17, 2.2.8 and 2.3.1 patches are available here:https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
It’s recommended that the patches are installed as soon as possible. Given the risk this vulnerability represents to your store and customer data.
Once your Magento store is no longer vulnerable, please complete this form to confirm that you have completed the necessary upgrade steps.
Maintain your website security
Security is an ongoing concern and should be treated as such. A great free tool called MageReport.com allows you to scan your website for any security issues. Going forward PayFast will be making use of this tool to assess your site’s security and we may contact you with regard to future issues. It’s highly recommended that you check the status of your website in MageReport.com regularly and fix any high risk vulnerabilities. You, your store, and your customers are our top priority.