Mage One Patches für Magento 1: MO-18, MO-19, MO-20

Improved QPS Module

We improved the QPS module. You can now configure an email address to get a notification once new rules have been synchronized. You can find the configuration in System > Configuration > Quick Protection System > Notification.

Patch MO-18

This patch is based on a backport for CVE-2020-9690 of Magento 2. Magento’s hash compare functionality has an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.

Patch MO-19

An admin user was able to use soap access with product attributes and a product to upload an executable file to the server and execute it.

Thanks to Luke Rodgers for sharing his findings!

Patch MO-20

An administrator with permission to access System > Permissions > Variables was able to add config paths for encrypted config fields. This made it possible to view the decrypted value of private information.

Thanks to Peter O’Callaghan for sharing his findings!

You can download these patches in your customer account at Everything you need to know about the issue and how to install it is explained there.