Magento security issues - Partners never updated or installed patches for 2 years.

Premium and Global Elite partners completely ignored all security measures.

For the demo versions of their templates, modules and other solutions were installed on outdated Magento versions.

The problem is that many Magento developers and solution partners never installed any patches or upgraded since 2 years. This is all Magento fault, because they never check extensions on its marketplace, and they dont care how Partners work.

Our investigation revealed that using (2year old!) security bugs, you can easily access any files on the server, including logins and passwords for remote servers and storages, github and atlassian accounts.

For years, they endangered everyone, their systems, files, and accounts of customers and other organizations. All security warnings and messages were ignored.

You can go to Magento Marketplace, for example select extensions with version compatibility tag 2.0 or 2.1, on extension page there will be a link to its demo, go to admin panel, if the version <2.2.6, this version is vulnerable to RCE and LFR.

Proof: https://blog.scrt.ch/2019/01/24/magento-rce-local-file-read-with-low-privilege-admin-rights/

Just to be clear - this bug is 2 year old !!! I just wanted to show that the partners of Magento are neither celestials or special and carefully chosen specialists. In fact, this shows that all these awards, titles and certificates do not mean anything at all, and what lurks behind the wall of marketing.