Magento has released a security advisory in which users are strongly recommended to protect their store against a SQL injection vulnerability called PRODSECBUG-2198. According to the advisory, Magento users should update their website to a patched version as soon as possible to avoid the risk of their websites being infected with malicious code and sensitive data being compromised.
A skimming campaign, resulting in card data being stolen after shoppers have made their purchases, has already affected more than 100 Magento websites worldwide.
To secure your store, we’re requesting users to upgrade to a patched version of Magento by 30 May 2019. (UPDATE: our security campaign has been extended until midnight 31 July 2019, by which date we require all Magento websites to have been cleared of any high risk vulnerabilities according to MageReport.com)
Versions 22.214.171.124 and 1.9 patches are available at this link: https://magento.com/security/patches/supee-11086
Versions 2.1.17, 2.2.8 and 2.3.1 patches are available here:https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
It’s recommended that the patches are installed as soon as possible. Given the risk this vulnerability represents to your store and customer data.
Once your Magento store is no longer vulnerable, please complete this form to confirm that you have completed the necessary upgrade steps.
Maintain your website security
Security is an ongoing concern and should be treated as such. A great free tool called MageReport.com allows you to scan your website for any security issues. Going forward PayFast will be making use of this tool to assess your site’s security and we may contact you with regard to future issues. It’s highly recommended that you check the status of your website in MageReport.com regularly and fix any high risk vulnerabilities. You, your store, and your customers are our top priority.
Why security matters, no matter how big or small your business
To cyber criminals it doesn’t matter whether your business is large, small or medium-sized, they’re simply looking for easy targets. A common misconception is that only big businesses are at risk of attacks, however, the automated “bots” used to scour the internet looking for weakness don’t distinguish whether you’re a small family business or a multinational corporate. You can read more here about why neglecting website security can be detrimental to small businesses.