I am using eComscan, a third party software that helps to scan magento website for any malwares. While running the scan on my website it gives the following result
Ecomscan shows a file as vulnerable and also tells the line that is problematic. I am also pasting the report below.
[ eCommerce Security Scanner v1.4.14 (https://sansec.io), build 2021-09-03 ]
>> Check: Searching for vulnerabilities and hidden malware in files ...
100% VULNERABILITY magento_vuln_request_forgery_2_4_3_2_3_7_p1_a3ce0
matched: $this->currentSession->load($this->authSession->getSessionId(), 'session_id')
in file:/public_html/vendor/magento/module-security/Model/AdminSessionsManager.php
c/mtime: 2021-10-14T07:32:28Z 2020-12-18T21:23:46Z
https://sansec.io/kb/checks/magento-core-vulnerabilities
Finished scanning 106758 files.
>> Check: Magento 2 - scanning database for malware ...
Using config /public_html/app/etc/env.php
Finished scanning 7113 rows from core_config_data
Finished scanning 40 rows from cms_page
Finished scanning 116 rows from cms_block
Finished scanning 1 rows from newsletter_template
Finished scanning 19 rows from admin_user
Finished scanning 27 rows from information_schema.triggers
>> Check: Magento 2 - scanning for vulnerable 3rd party modules ...
>> Found: 1x vulnerability on 246238.cloudwaysapps.com
We can see it shows a file as vulnerable, but this is magento core file.
/public_html/vendor/magento/module-security/Model/AdminSessionsManager.php
and it also gives some steps to solve this.
https://sansec.io/kb/checks/magento-core-vulnerabilities
While going through the above link I found out that there could be a bug in the file mentioned. A screenshot from the above link.
Here it is mentioned that there is an XSS bug in magento 2.3.6-p1 and yes this is my magento version. But I am not sure how to solve this or if there is any patch available for this.
Could any one plz guide me about this or suggest any thing that could help me to solve the error, so that ecomscan does not give any vulnerable file as output.
Plz let me know if anymore information is required from my end.
Best Answer
Looks like the matched line was removed in this commit but without knowing what the vulnerability is changing just this line may not necessarily fix it.
What I would recommend is upgrading to 2.3.7-p2 (40+ security fixes added since your version). Looking at the BIC list from your version to the latest patch version of the 2.3 branch there does not look like there are any symbols removed from interfaces or DB column removals/constraints.
I have just done a 2.4.2-p2 -> 2.4.3-p1 upgrade for a client with only a minor issue that required us to take action, so with any luck the upgrade you need to do should be similar. I would still recommend running through all your normal testing scenarios for any critical business processes or customer journeys.