Posted on

How to find an available patch for my website

I am using eComscan, a third party software that helps to scan magento website for any malwares. While running the scan on my website it gives the following result

Ecomscan shows a file as vulnerable and also tells the line that is problematic. I am also pasting the report below.

[ eCommerce Security Scanner v1.4.14 (https://sansec.io), build 2021-09-03 ]

>> Check: Searching for vulnerabilities and hidden malware in files …
100% VULNERABILITY magento_vuln_request_forgery_2_4_3_2_3_7_p1_a3ce0
matched: $this->currentSession->load($this->authSession->getSessionId(), ‘session_id’)
in file:/public_html/vendor/magento/module-security/Model/AdminSessionsManager.php
c/mtime: 2021-10-14T07:32:28Z 2020-12-18T21:23:46Z
https://sansec.io/kb/checks/magento-core-vulnerabilities
Finished scanning 106758 files.

>> Check: Magento 2 – scanning database for malware …
Using config /public_html/app/etc/env.php
Finished scanning 7113 rows from core_config_data
Finished scanning 40 rows from cms_page
Finished scanning 116 rows from cms_block
Finished scanning 1 rows from newsletter_template
Finished scanning 19 rows from admin_user
Finished scanning 27 rows from information_schema.triggers

>> Check: Magento 2 – scanning for vulnerable 3rd party modules …

>> Found: 1x vulnerability on 246238.cloudwaysapps.com

We can see it shows a file as vulnerable, but this is magento core file.
/public_html/vendor/magento/module-security/Model/AdminSessionsManager.php

and it also gives some steps to solve this.
https://sansec.io/kb/checks/magento-core-vulnerabilities

While going through the above link I found out that there could be a bug in the file mentioned. A screenshot from the above link.

Here it is mentioned that there is an XSS bug in magento 2.3.6-p1 and yes this is my magento version. But I am not sure how to solve this or if there is any patch available for this.

Could any one plz guide me about this or suggest any thing that could help me to solve the error, so that ecomscan does not give any vulnerable file as output.

Plz let me know if anymore information is required from my end.

Leave a Reply

Your email address will not be published. Required fields are marked *