An unauthenticated cross-site scripting vulnerability combined with an authenticated Phar deserialization vulnerability has left older versions of Magento Commerce and Magento Open Source open to serious exploit.
An attacker can use these vulnerabilities to inject JavaScript into the Magento Admin, and subsequently launch malicious code in a store user’s browser.
We strongly recommend that all users of the affected versions of Magento download and apply the appropriate patch as soon as possible.
The issue affects the following Magento versions (on prem and cloud):
Magento Open Source v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
Magento Commerce v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
Magento Commerce Cloud v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases