Today, Magento is releasing new versions of Magento Commerce and Open Source to increase product security, performance and functionality
- Magento Open Source and Commerce 2.2.5
- Magento Open Source and Commerce 2.1.14
- Magento Open Source 126.96.36.199
- Magento Commerce 188.8.131.52
- SUPEE-10752 to patch earlier Magento 1.x versions
These releases include security enhancements that help close remote code execution, cross-site scripting, and cross-site request forgery. No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions, so we strongly recommend that all merchants upgrade as soon as possible.
The release of Magento 2.2.5 also includes multiple performance and functionality enhancements.
- Enhancements that help close stored XSS, SQL injection, and cross-site request forgery (CSRF) vulnerabilities.
- Resolution of issues that customers were experiencing when upgrading to Magento 2.2.4 in deployments that span multiple websites. Magento multi-store installations were not using the store view-specific values from the store configuration settings if these settings differed from the global default configuration settings.
- Substantial improvements to indexing performance.
- Over 150 Magento community contributions. Customers can now create an account from the Order Confirmation page. Magento now correctly applies coupon codes that exclude bundle products. When sorting simple products, which catalog promo price rule is applied for, these products are sorted by a regular price instead disregarding the applied promo price.
- Improvements to Magento core bundled extensions.
SUPEE-10752, Magento Commerce 184.108.40.206 and Open Source 220.127.116.11 contain multiple security enhancements that help close authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF) and other vulnerabilities.