6

Magento released an announcement about a critical Vulnerability in Magestore Store Locator extension

There's been no patch released by the actual vendor - Magestore

Does anyone know:

  1. What the vulnerability is?
  2. How to patch it?

I've created a github repo that holds the original code of this extension, so you can see what the code is and perhaps see what the vulnerability is and suggest a patch?

The scope of functionality and code are available on the public github repo.

Update

Magestore released a patch, it can be found here https://blog.magestore.com/store-locator-extension-patch/

According to them

Please note that customers using Magento 1 are not affected by this issue.

Improve this question
3
  • This is not off topic as Magento released an announcement about this also the code is available in the linked git-hub repo Commented Mar 13, 2019 at 13:39
  • I will just put this here but there is a patch from Magestore blog.magestore.com/store-locator-extension-patch Commented Mar 13, 2019 at 22:45
  • Thanks. This patch is only for magento2. According to magestore this vulnerability does not affect M1 Commented Mar 14, 2019 at 2:04

1 Answer 1

Reset to default
0

Interestingly enough we've run the security scan on our Magento2 development site which doesn't have the module installed, yet it flags it up. What is the security scan actually testing?

Improve this answer
1
  • I recommend you report your issue to [email protected]. In your report please specify the affected store URL. Commented Mar 13, 2019 at 15:12

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.