As of 11th June, Adobe has released a critical security update for Magento Open Source, Adobe Commerce and the Adobe Webhooks Plugin.
| Bulletin ID | Date Published | Priority |
| APSB24-40 | 11th June, 2024 | 3 |
The update fixes ‘critical’ issues from Adobe’s own terminology, including one with a Common Vulnerability Scoring System (CVSS) of 9.8. Measured out of 10, this score measures the severity of the issue, with the update listed as high priority - ‘Priority 3’. It’s therefore vital your site is updated as soon as possible.
Another key element of this update will be how it affects your Content Security Policy (CSP). Following the update, Magento will now enable CSP modules on checkout pages by default. This security update, which comes as part of the recent changes to the Payment Card Industry (PCI) Data Security Standards (DSS) to PCI 4.0, backports Magento 2.4.7’s CSP restrict mode from its front-end and admin checkout pages. That means applying this update will result in the monitoring and blocking of any unauthorised scripts on payment pages.
Whilst positive from a security perspective, the Magento update could block site visitors from completing the checkout journey. To combat this, you will need to enable the CSP’s report mode to review any links being blocked. These can then be checked, with any safe URLs whitelisted to maintain full checkout functionality.
As a Magento development agency, we will be happy to do this for our Magento Open Source and Adobe Commerce clients. These will need to be done before applying the crucial Magento-based update.
Native to Magento 2.4.7, this security update is also being rolled back to previous, supported versions of Magento Open Source, Adobe Commerce and Adobe Webhooks. Here is the full list affected by the security update:
| Product | Version | Platform |
| Magento Open Source | 2.4.7 and earlier 2.4.6-p5 and earlier 2.4.5-p7 and earlier 2.4.4-p8 and earlier | All |
| Adobe Commerce | 2.4.7 and earlier 2.4.6-p5 and earlier 2.4.5-p7 and earlier 2.4.4-p8 and earlier 2.4.3-ext-7 and earlier* 2.4.2-ext-7 and earlier* 2.4.1-ext-7 and earlier* 2.4.0-ext-7 and earlier* 2.3.7-p4-ext-7 and earlier* | All |
| Adobe Commerce Webhooks | 1.2.0 to 1.4.0 | Manual Plugin Installation |
*These versions are only applicable to those using the platform as part of Adobe’s Extended Support Program.
For more insight on CSPs, find out how Magento’s Content Security Policy keeps you secure. You can also find out more about the security update at the latest Adobe Security Bulletin.
Get in contact with us if you’d like to find out more about how we can keep your Magento site secure for both Magento Open Source and Adobe Commerce.
