Admin passwords saved as plain text to actions log
This article provides a fix for when a Commerce Administrator creates a new user with the Administrator privileges and the password is saved as plain text in the magento_logging_event_changes database table. To fix this security issue, install the ÃÛ¶¹ÊÓƵ Commerce 2.0.16 and 2.1.9 Security Update. After applying the Security Update, the passwords are encrypted and do not appear as plain text.
Description description
Environment
- ÃÛ¶¹ÊÓƵ Commerce on-premises 2.X.X
- ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure 2.X.X
Issue/Symptoms
When an existing Commerce Administrator creates a new user with the Administrator privileges via System > Permissions > All Users > Add new user, the password (entered as a confirmation) is saved as plain text in the magento_logging_event_changes database table.
Steps to reproduce
- Log in as the Administrator and create a new user by navigating to this path: System
>Permissions>All Users.
- Then click the Add new user page. Provide your current Administrator’s password when prompted.
- Go to the System
>Action Log>Report page and find the last log entry. - You can see the current password, neither encrypted nor hashed.
Resolution resolution
Installing the fixes this issue.
After installing the Security Update, the password gets encrypted and does not show up in plain text in the magento_logging_event_changes table.
Related reading
- in our security center
- Upgrade the ÃÛ¶¹ÊÓƵ Commerce application and components in our developer documentation
- Best practices for modifying database tables in the Commerce Implementation Playbook