Newly disclosed SQL injection in widespread e-commerce platform Magento:
https://www.ambionics.io/blog/magento-sqli
– according to the article, Magento 2.2.x/2.3.x is affected
– attackers can read anything from the database, including password hashes
– fixed in Magento 2.3.1 (along with many other vulnerabilities)
– besides, Magento 2.2.8 and 2.1.17 were released