When the proof-of-concept code was published, comments in the code revealed that it could also be modified to obtain other information from Magento’s database such as admin and user password hashes. It was also discovered that the vulnerability has existed in Magento since version 1 of its software. This means that all Magento sites that have not installed the latest update are potentially susceptible.
The company’s developers recently disclosed and patched a number of vulnerabilities including PRODSECBUG-2198. There is a stand-alone patch for this vulnerability but since the other flaws also pose a threat, it is recommended that all customers upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8.
Read More.. Source Tech Radar