Admin passwords saved as plain text to actions log

This article provides a fix for when a Commerce Administrator creates a new user with the Administrator privileges and the password is saved as plain text in the magento_logging_event_changes database table.

To fix this security issue, install the Adobe Commerce 2.0.16 and 2.1.9 Security Update. After applying the Security Update, the passwords are encrypted and do not appear as plain text.

Affected versions Adminpasswordsaresavedasplaintexttoactionslog('magento_logging_event_changes'table)-Affectedversions

Issue Adminpasswordsaresavedasplaintexttoactionslog('magento_logging_event_changes'table)-Issue

When an existing Commerce Administrator creates a new user with the Administrator privileges via System > Permissions > All Users > Add new user, the password (entered as a confirmation) is saved as plain text in the magento_logging_event_changes database table.

Steps to reproduce: Adminpasswordsaresavedasplaintexttoactionslog('magento_logging_event_changes'table)-Stepstoreproduce

Solution Adminpasswordsaresavedasplaintexttoactionslog('magento_logging_event_changes'table)-Solution

Installing the Adobe Commerce 2.0.16 and 2.1.9 Security Update fixes this issue.

After installing the Security Update, the password gets encrypted and does not show up in plain text in the magento_logging_event_changes table.

More information Adminpasswordsaresavedasplaintexttoactionslog('magento_logging_event_changes'table)-Moreinformation

Adobe Commerce 2.0.16 and 2.1.9 Security Update page in our security center.

Upgrade the Adobe Commerce application and components in our developer documentation.