On October 12, Magento released security updates for Magento 2.3 and 2.4. This update fixes six (Magento 2.3) or seven (Magento 2.4) security-related issues, one of them is regarded as a Cross-Site Request Forgery vulnerability, the other ones are only issues. To increase security this update should be installed as soon as possible. It is possible to install the security patch only without the not security-related fixes and improvements.
Magento 2.3.7-p2
Security Fixes and Improvements
- Six security issues fixed
- Session IDs have been removed from the database.
- Restricted admin access to Media Gallery folders.
- Lowered limits to GraphQL query complexity.
Feature Fixes
- Fix for PHP fatal error on upgrade.
- Fix for an issue where the order price is displayed when a shopper tries to place an order with a different product using the PayPal payment method.
The full changelog can be found on devdocs.magento.com.
Magento 2.4.3-p1
Security Fixes and Improvements
- Seven security issues fixed
- Session IDs have been removed from the database.
- Restricted admin access to Media Gallery folders.
- Lowered limits to GraphQL query complexity.
Feature Fixes
- Fix for the PHP fatal error on upgrade known issue.
The full changelog can be found on devdocs.magento.com.
Remember to create a backup before updating.
