Even the Store Commander team is not infallible: first security breach published in 14 years!
Following an audit, a major security breach was detected in December 2022 on two modules. We patched these modules very quickly on our side, but users must act upon it.
We would like to thank
TouchWeb and 202 Ecommerce
for the discovery of this flaw and their valuable technical assistance.
Our customers have been informed privately by email several times in order to update or remove the 2 affected modules as soon as possible.
If you haven't done so yet, you need to take action on your store to avoid theft of your data.
Concerned module: Export Customers
Technical name: scexportcustomer
Impacted versions: all previous versions from 3.6.2
Fixed version: 3.6.2 integrated in Store Commander
Technical details: https://friends-of-presta.github.io/security-advisories/modules/2023/05/02/scexportcustomers.html
Concerned module: Export Orders
Technical name: scquickaccounting
Impacted versions: all previous versions of 3.7.4
Fixed version: 3.7.4 integrated in Store Commander
Technical details: https://friends-of-presta.github.io/security-advisories/modules/2023/05/04/scquickaccounting.html
As well as:
Concerned module: Fix My Prestashop
Technical name: scfixmyprestashop
Impacted versions: all versions
Fixed version: Uninstall and delete the module
Technical details: https://friends-of-presta.github.io/security-advisories/modules/2023/05/25/scfixmyprestashop.html
The same action is necessary for each module:
You don't use the module anymore?
Uninstall and delete the module from your server. Deleting is necessary, because disabling or uninstalling is not enough.
To use the latest version of the module:
Update Store Commander through the menu Help > Update
Take the opportunity to activate the automatic update
Run a security scan of your store with FixMyPrestaShop:
Tools > FixMyPrestaShop menu, 1. select Security Tools and 2. run the tests by clicking on the Play icon, follow the instructions.
You can find more technical information on a link available soon here or ask to our support team if you need further information.