Magento 2.4.6-p1
14 June 2023
Magento version 2.4.6-p1 is now available (security release).
Upgrading to Magento 2.4.6-p1
Magento 2.4.6-p1 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Magento updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Magento install to test the 2.4.6-p1 upgrade prior to applying it live. Get started managing your Magento installations with Installatron
What's New in Magento 2.4.6-p1
This patch includes 13 security fixes.
Security
- CVE-2023-29287 Information Exposure (CWE-200) - Security feature bypass
- CVE-2023-29288 Incorrect Authorization (CWE-863) - Security feature bypass
- CVE-2023-29289 XML Injection (aka Blind XPath Injection) (CWE-91) - Security feature bypass
- CVE-2023-29290 Missing Support for Integrity Check (CWE-353) - Security feature bypass
- CVE-2023-29291 Server-Side Request Forgery (SSRF) (CWE-918) - Security feature bypass
- CVE-2023-29292 Server-Side Request Forgery (SSRF) (CWE-918) - Arbitrary file system read
- CVE-2023-29293 Improper Input Validation (CWE-20) - Security feature bypass
- CVE-2023-29294 Business Logic Errors (CWE-840) - Security feature bypass
- CVE-2023-29295 Incorrect Authorization (CWE-863) - Security feature bypass
- CVE-2023-29296 Incorrect Authorization (CWE-863) - Security feature bypass
- CVE-2023-29297 Cross-site Scripting (Stored XSS) (CWE-79) - Arbitrary code execution
- CVE-2023-22248 Incorrect Authorization (CWE-863) - Security feature bypass
- The default behavior of the isEmailAvailable GraphQL query and (V1/customers/isEmailAvailable) REST endpoint has changed. By default, the API now always returns true. Merchants can enable the original behavior, which is to return true if the email does not exist in the database and false if it exists.