Magento released new versions containing upgrades, substantial security changes, and performance improvements. The patched security vulnerabilities were not exploited yet, but you should install security updates always as soon as possible. If you just want to install the fixes for the vulnerabilities, there are security-only patches available (ASPB20-59).
Fixed vulnerabilities
| Category | Vulnerability Impact | Severity | Magento Bug ID |
| File Upload Allow List Bypass | Arbitrary code execution | Critical | PRODSECBUG-2799 |
| SQL Injection | Arbitrary read or write access to database | Critical | PRODSECBUG-2779 |
| Improper Authorization | Unauthorized modification of customer list | Important | PRODSECBUG-2789 |
| Insufficient Invalidation of User Session | Unauthorized access to restricted resources | Important | PRODSECBUG-2785 |
| Improper Authorization | Unauthorized modification of Magento CMS pages | Important | PRODSECBUG-2796 |
| Sensitive Information Disclosure | Disclosure of document root path | Moderate | PRODSECBUG-2798 |
| Cross-site Scripting (Stored XSS) | Arbitrary JavaScript execution in the browser | Important | PRODSECBUG-2804 |
| Improper Authorization | Unauthorized access to restricted resources | Important | PRODSECBUG-2797 |
| Improper Authorization | Unauthorized access to restricted resources | Important | PRODSECBUG-2791 |
Highlights of the new versions
- Over 15 (35 for Magento 2.4) security enhancements that help close remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities
- CAPTCHA protection has been added to the following product areas:
- Place Order storefront page and REST and GraphQL endpoints
- Payment-related REST and GraphQL endpoints.
Magento 2.4.2 additional new enhancements
Additional security enhancements
- All core cookies now support the
SameSiteattribute. - Magento now displays messages that identify potentially malicious content in product and category description fields when the user tries to save values in these fields.
- File system operations across Magento components have been standardized and hardened to prevent malicious uploads.
- Core Content Security Policy (CSP) violations have been fixed.
Platform enhancements
- Elasticsearch 7.9.x is now supported.
- Magento 2.4.2 has been tested with Varnish 6.4.
- Redis 6.x is now supported.
- Magento 2.4.2 is now compatible with Composer 2.x.
Performance enhancements
This release includes code enhancements that boost API performance and Admin response time for deployments with large catalogs.
GraphQL
- Added support for comparison lists.
- Added the
generateCustomerTokenAsAdminmutation and updated theCustomerobject to support remote purchasing assistance. - Added localization support across stores to support tasks such as changing languages, carts, and currencies.
- Added support for unions in Magento GraphQL.
- The GraphQL schema has been enhanced to optimize product data retrieval for configurable products with many variants.
- Integer type object IDs have been deprecated in favor of
uidattributes of type ID. - Added the
stagingattribute to theProductInterfaceandCategoryInterfaceto determine if a product is staged and to view its associated campaign information.
PWA Studio
- Internationalization and localization.
- Improved extensibility framework to support code changes through extensions.
- Initial components for My Account related features such as Wishlist, Saved Payments, Address Book, and Order History.
- Various performance optimizations and bug fixes.
Media Gallery
- New Role Resources for Media Gallery to control who can perform these actions:
- Insert media assets into content
- Upload assets
- Edit assets details
- Delete assets from the Media Gallery
- Manage folder structure.
- Web-optimized images in content.
Other enhancements
- This release includes Adobe Stock Integration v2.1.1.
- MFTF 3.2.1 is now available.
- Vendor Developed Extensions Updates
- AWS S3 support enhancements
Fixed issues
In both Magento 2.3 and Magento 2.4 updates a lot of issues were fixed. To see a full list of all over 160 fixes for Magento 2.3 visit devdocs.magento.com.
For the over 280 fixes for Magento 2.4 visit devdocs.magento.com.
Remember to create a backup before installing updates. Picture courtesy of Joseph Kellner.
