Improved QPS Module
We improved the QPS module. You can now configure an email address to get a notification once new rules have been synchronized. You can find the configuration in
System > Configuration > Quick Protection System > Notification.
This patch is based on a backport for CVE-2020-9690 of Magento 2. Magento’s hash compare functionality has an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.
An admin user was able to use soap access with product attributes and a product to upload an executable file to the server and execute it.
Thanks to Luke Rodgers for sharing his findings!
An administrator with permission to access
System > Permissions > Variables was able to add config paths for encrypted config fields. This made it possible to view the decrypted value of private information.
Thanks to Peter O’Callaghan for sharing his findings!
You can download these patches in your customer account at https://my.mage-one.com/patches. Everything you need to know about the issue and how to install it is explained there.