This page has moved to Adobe Experience League and will be redirected soon.
Admin passwords saved as plain text to actions log
Admin passwords saved as plain text to actions log
This article provides a fix for when a Commerce Administrator creates a new user with the Administrator privileges and the password is saved as plain text in the magento_logging_event_changes
database table.
To fix this security issue, install the Adobe Commerce 2.0.16 and 2.1.9 Security Update. After applying the Security Update, the passwords are encrypted and do not appear as plain text.
Affected versions
Adobe Commerce on-premises 2.X.X
Adobe Commerce on cloud infrastructure 2.X.X
Issue
When an existing Commerce Administrator creates a new user with the Administrator privileges via System > Permissions > All Users > Add new user , the password (entered as a confirmation) is saved as plain text in the magento_logging_event_changes
database table.
Steps to reproduce:
Log in as the Administrator and create a new user by navigating to this path: System > Permissions > All Users .
Then click the Add new user page. Provide your current Administrator's password when prompted.
Go to the System > Action Log > Report page and find the last log entry.
You can see the current password, neither encrypted nor hashed.
Solution
Installing the Adobe Commerce 2.0.16 and 2.1.9 Security Update fixes this issue.
After installing the Security Update, the password gets encrypted and does not show up in plain text in the magento_logging_event_changes
table.
More information
Adobe Commerce 2.0.16 and 2.1.9 Security Update page in our security center.
Upgrade the Adobe Commerce application and components in our developer documentation.
Was this article helpful?
Yes
No
0 out of 2 found this helpful