Reference on Webscale Product Documentation

Essentials environment reference

Mon, 01 Jan 0001 00:00:00 +0000

Lookup-style reference for Essentials environments.

1. Service management

These services can be managed with systemctl (no password) by allowed users:

Unit	Description
`rabbitmq`	Message queue
`opensearch`	Search backend
`valkey-persistent`	Persistent key-value store
`valkey-volatile`	Volatile cache
`vinyl`	Vinyl (Varnish) HTTP Cache
`php-fpm`	PHP application processes
`mysql`	MySQL database
`relay`	HTTP relay / reverse proxy

Examples

systemctl status php-fpm
systemctl restart rabbitmq
systemctl restart mysql

2. Helper commands

Available to users in the adm group:

Webscale Pro V3 environment

Mon, 01 Jan 0001 00:00:00 +0000

Container shell helpers

Webscale Pro V3 environments run your application in containers. To open a shell inside the application container from the NFS host, use the shell helper script:

shell

This script opens an interactive shell inside the container with the site code mounted (/var/www/html) and all the shared folders (media, var, etc).

Deployment helper scripts

The following helper scripts are available for deployments on Webscale Pro V3 environments:

list-images – lists available container images (for example tags by commit or branch).
tag-by-commit – updates the deploy tag to point to an image built from a specific commit.
tag-by-branch – updates the deploy tag to point to an image built from a specific branch.
run-deploy-and-cleanup – runs the deployment using the current deploy tag, executes hooks, and cleans up.

These scripts are used in the Webscale Pro V3 deployment guide and should not be modified.

Introducing Application Shielding

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Application Shielding is an opt-in product feature for all Webscale customers that allows a controlled isolation of the application servers in a customer’s cloud account from Internet traffic. We developed this feature in response to requests from a handful of Webscale customers who wanted to configure their application servers so that all traffic reaching their application is from the Webscale proxy servers. Application Shielding makes it possible to eliminate direct HTTP/HTTPS traffic to the application servers from the Internet unless they are explicitly allowed by firewall settings or whitelists. It forces all other traffic to be routed through the Webscale proxies, better insulating the application from malicious attacks.

Webscale Shared Responsibility Security and Operational Model - Shopware

Mon, 01 Jan 0001 00:00:00 +0000

Last Update: March 4, 2026

The Webscale Managed Platform for Shopware is a platform-as-a-service (PaaS) designed to support the unique architecture of Shopware 6. This model ensures that while Webscale handles the high-performance infrastructure and Symfony-optimized environment, the Merchant and Systems Integrator (SI) manage the application logic and customer experience.

1. Executive Summary & Strategic Recommendations

Summary: For Shopware merchants, the shared model focuses on the stability of the Symfony framework and the performance of the Shopware Storefront/Admin. Webscale manages the underlying stack (Linux/PHP/MySQL), while the Merchant/SI manages the Shopware core and third-party extensions.

Shutdown hooks

Mon, 01 Jan 0001 00:00:00 +0000

This page describes how to configure and use Webscale’s shutdown hook mechanism so your application servers can finish in-flight work cleanly before they are destroyed.

The goal: when Webscale needs to terminate a server (scale in, rolling deploy, or manual destroy), your application gets a clear signal, some time to react, and the platform waits (up to a limit) before terminating the server.

Scope: This applies to managed or unmanaged clusters running a web-server image of version 2025.44 or later.

Ubuntu Package Security & Backporting Policy

Mon, 01 Jan 0001 00:00:00 +0000

Core Strategy

Webscale utilizes official Ubuntu-packaged software for all core infrastructure components. While upstream developers frequently release new “mainline” versions with higher version numbers, Webscale prioritizes the stable versions maintained and vetted by Canonical (the publishers of Ubuntu).

The Backporting Mechanism

The primary reason for staying on a specific Ubuntu package version is the process of backporting.

Definition: Backporting is the practice of taking a specific security fix (CVE patch) from a newer version of software and applying it to an older, more stable version.
Canonical’s Role: Canonical’s security team monitors upstream vulnerabilities. When a vulnerability is found in a tool like Nginx, they apply the fix to the version of Nginx currently shipping with the Ubuntu LTS (Long Term Support) release.
Result: The version number of the package remains the same (e.g., 1.18.0), but the security posture is identical to the latest upstream version (e.g., 1.25.x).

Technical Comparison: Nginx Security Case Study

A common customer request is to upgrade to the latest “mainline” version of Nginx to address specific CVEs. The table below illustrates how Webscale/Ubuntu addresses these concerns:

Content Security Policy Directives

Mon, 01 Jan 0001 00:00:00 +0000

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS ).

Webscale’s Set Content Security Policy action for Web Controls allows you to set the following directives. Click the name of each directive for more detailed information.

Introducing HTTP Headers and Status Codes

Mon, 01 Jan 0001 00:00:00 +0000

Overview

HTTP requests and responses include HTTP headers, which contain additional information that the client and server pass on to each other. Request and response bodies are located at the bottom of the message. Depending on the method, not all requests require bodies. Requests with methods that pertain to fetching resources like GET, HEAD, DELETE, and OPTIONS usually don’t need them.

Requests with methods that send data to servers to update them do need bodies. One example is the POST method.

Introducing Webscale Account Hierarchies

Mon, 01 Jan 0001 00:00:00 +0000

Note:

Webscale account hierarchies are an advanced feature.

Overview

Webscale accounts (parent accounts) can optionally be configured with one more sub-accounts to create account hierarchies. This hierarchial relationship naturally matches the structure Webscale Partners use to manage their various eCommerce clients. In concert with Webscale role-based access , this hierarchy allows Partners to grant a user access to multiple sub-accounts while also being able to limit their access in each account.

Introducing Webscale Role-based Access

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Webscale role-based access (RBAC) uses the permissions of the roles to which a user has accepted invitations to determine their Webscale API access. Account owners can configure roles with granular Webscale API permissions, allowing administrators to deploy to users the least amount of API access needed for the user to complete their task.

This overview will focus on the concepts and mechanisms necessary to understand RBAC.

Permissions

Roles used for RBAC are configured with permissions. These permissions describe exactly the parts of the API the user can access. Permissions are defined using three pieces of information:

Magento 1 EOL Support - FAQ

Mon, 01 Jan 0001 00:00:00 +0000

What is M1 Support?

Webscale M1 Support is a comprehensive, security-focused SaaS solution for digital commerce merchants planning to remain on Magento 1.x beyond its end-of-life (EOL) in June 2020.

There are two options to Webscale M1 Support:

Webscale Cloud M1 Support for customers whose hosting environment is in the cloud and managed by Webscale (and typically hosted by Webscale as well).
Webscale On-Prem M1 Support for customers whose hosting environment is not managed by Webscale (maybe hosted in the cloud or in a private data center).

Does Webscale support M1 Commerce (formerly known as Enterprise) and M1 Open-source (formerly known as Community)?

Yes! Webscale’s M1 On-Prem and Cloud Support protects M1 commerce and Open-source customers.

Magento 1 EOL Patches

Mon, 01 Jan 0001 00:00:00 +0000

Patches to fix discovered vulnerabilites in Magento 1 are made available to customers who have a Magento 1 EOL Support plan. A list of these patches is maintained here, including patch date, description, and a link to download the patch. For more information on Magento 1 EOL Support, please read the FAQs .

Note:

M1 Commerce patches will be available within 60 days from date mentioned below.

Date	ID	Description	Open Source	Commerce
Aug 07 2020	12	Improves PCI-DSS compliance by forcing login form to disable autocompletion.	Download	Download
Aug 07 2020	13	(HIGH) Re-release of Adobe’s SUPEE-11346 (originally released on 06/22/2020) for Magento 1.9.4.5.	Download
Aug 07 2020	14	Prevents parallel logins for the same user account (session attack for backend and frontend).	Download	Download
Aug 19 2020	15	Adds new configuration option to enable “secure” marker for all cookies.	Download	Download
Aug 28 2020	16	Adds compatibility for PHP 7.3.	Download	Download
Aug 28 2020	17	Improves clearing of session data with parallel logins.	Download	Download
Oct 01 2020	18	(CRITICAL) This patch is based on a backport for CVE-2020-9690 of Magento 2.	Download	Download
Oct 01 2020	19	(CRITICAL) Prevents admin users from using soap access w/product attributes and a product to upload and execute executable files to the server.	Download	Download
Oct 01 2020	20	Prevents admin users with access to `System > Permissions > Variables` from adding config paths for encrypted config fields.	Download	Download
Oct 29 2020	21	Improves compatibility of 3rd party integrations by flagging cookies as `SameSite=None`.	Download	Download
Oct 29 2020	22	(HIGH) Prevents access to the `/downloader` directory.	Download	Download
Oct 29 2020	23	Replaces the news feed URL in Magento so you receive patch notifications in your admin panel.	Download	Download
Oct 29 2020	24	Avoids incorrect form keys creating an error log entry. This is an improvement for patch ID 18.	Download	Download
Oct 29 2020	25	(CRITICAL) Fixes an issue whereby an administrator with permission to update product data was able to store an executable file on the server and load it via layout xml.	Download	Download
Dec 09 2020	26	Improves cookie handling.	Download	Download
Dec 09 2020	27	(HIGH) Prevents admin users with permission to import/export data and to create widget instances from loading an executable file via layout xml.	Download	Download
Dec 09 2020	28	(HIGH) Prevents admin users with permission to create products from injecting an executable file on the server via wishlist functionality.	Download	Download
Dec 09 2020	29	(HIGH) Prevents admin users with permission to import/export data and to edit cms pages from injecting an executable file on the server via layout xml.	Download	Download
Dec 09 2020	30	Improves patch 20.	Download	Download
Dec 09 2020	31	Improves patch 21.	Download	Download
Dec 09 2020	32	Fixes an issue with patch 23.	Download	Download
Jan 21 2021	33	Fixes an issue with patch 31: Cookie secure flag wasn’t `boolean` in JavaScript.	Download	Download
Jan 21 2021	34	Adds `samesite` setting to PHP based session cookies.	Download	Download
Apr 05 2021	35	Fixes a core bug when using prepare data for redirecting. Note: This patch is also required for patch 39 to operate properly.	Download	Download
Apr 05 2021	36	(HIGH) Fixes a bug in Zend Framework’s Stream HTTP Wrapper - CVE-2021-3007	Download	Download
Apr 05 2021	37	Support for PHP 7.4 and PHP 8. In order to switch to PHP 7.4 or PHP 8 you also have to make sure any custom code and third party extension is compatible with these PHP versions! Known Issue: Applying this patch might fail because there are versions of Magento in circulation that use `\r\n` line breaks instead of `\n` line breaks for certain files. Option 1: If you encounter errors when applying the patch, you can use the command line utility dos2unix to correct the line breaks. You can use the following command: ```find . -type f -print0	xargs -0 dos2unix`</div> <div>Option 2: If you cannot install or use dos2unix, you can also use sed on the command line to correct the line breaks:`find . -type f -name *.php -print -exec sed -i ’’ ’s/\r//’ {} ;```	Download
Apr 05 2021	38	Changes the content-type in json responses from text/html tot application/json to prevent XSS attacks	Download	Download
Apr 05 2021	39	The wishlist sharing function has been subject to intensive SPAM abuse. We added a switch to the Magento configuration to disable the sharing functionality. Please note that patch #35 is required for this patch to work properly. Please make sure to configure the setting according to your needs: The behavior of the Wishlist Sharing functionality can be controlled via a new config option in System > Config > Wishlist > Share Options > Enable Sharing	Download	Download
Apr 05 2021	40	We fixed a vulnerability in the MySQL adapter to prevent SQL injection attacks. CVE-2021-21024	Download	Download
May 28 2021	41	Updates Zend_Http_Response to support HTTP/2	Download	Download
May 28 2021	42	(HIGH) This patch adds improved security to unserialize() calls to avoid unexpected object creation. Attention: This patch changes almost every unserialize() call throughout the core code to prevent unwanted object creation. It touches many code aspects we’re unable to cover with tests. It might also affect functionality you intentionally wanted to create objects via unserialize(). It’s therefore crucial to test all your integrations and customizations before you apply it in your live environments!	Download	Download
May 28 2021	43	(HIGH) We fixed a vulnerability that allowed users with admin access to inject code (RCE) using session manipulation.	Download	Download
May 28 2021	44	(HIGH) Due to missing sanitation in data flow it was possible for admin users to upload arbitrary executable files to the server.	Download	Download
May 28 2021	45	(HIGH) Layout XML enabled admin users to execute arbitrary commands via block methods.	Download	Download
May 28 2021	46	(HIGH) We fixed a vulnerability in Magento’s package manager which lead to a RCE via race conditions.	Download	Download
May 28 2021	47	Zend_Validator wasn’t able to validate emails with uptodate TLDs. The list of TLDs has been updated.	Download	Download
May 28 2021	48	Adds array_key_first() and array_key_last() with a polyfill.	Download	Download
May 28 2021	49	This fixes a bug introduced with patch #47. Magento uses a copy of Zend’s original file with modified paths. While updating the file’s content, these modified paths have been replaced with their originals. So Magento wasn’t able to find the correct files anymore.	Download	Download
Aug 9 2021	50	Improves PHP5.6 compatibility for unserialization. Please Note: We do not recommend to use anything older than PHP7.3. There’s no support available for older PHP Versions!	Download	Download
Aug 9 2021	51	Updates phpseclib to version 2.0.32 to fix CVE-2021-30130.	Download	Download
Aug 9 2021	52	Fixes a persisted XSS vulnerability.	Download	Download
Aug 9 2021	53	(CRITICAL) Restores missing .htaccess files from core automatically. In some Magento installations merchants or developers or agencies accidentally removed .htaccess files from regular core directories and thus exposed security vulnerabilities. To regain protection for these directories we automatically check for deleted .htaccess files and reinstate them in the following locations: `/app/.htaccess /dev/.htaccess /downloader/lib/.htaccess /downloader/Maged/.htaccess /downloader/template/.htaccess /includes/.htaccess /lib/.htaccess /media/downloadable/.htaccess /media/customer/.htaccess /shell/.htaccess /skin/frontend/rwd/default/scss/.htaccess /var/.htaccess`	Download	Download
Aug 9 2021	54	Improving PHP8 compatibility.	Download	Download
Aug 9 2021	55	Prevent DoS attack via passwords larger than 4k.	Download	Download
Aug 9 2021	56	(HIGH) An administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml.	Download	Download
Aug 9 2021	57	(HIGH) Arbitrary command execution in Custom Layout Update via block method.	Download	Download
Aug 9 2021	58	(HIGH) Arbitrary file delete in customer media allows remote code execution.	Download	Download
Aug 9 2021	59	This patch adds brute force attack prevention to customer login via Frontend and API as well as admin panel login. If enabled this feature prevents brute force login attacks by disabling the login feature once the failed login attempts limit is reached. With every failed login attempt the login retry time increases. This time is respecting the max_execution_time setting. The failed login attempts counter will be reset if a successful login is detected before it reaches the login attempt limit. Customer Login: To enable this feature, go to `System > Configuration > Customer Options > Password Options`. The Switch is called ‘Enable brute force protection’. The number of failed logins defaults to 10 and can be configured in the field Maximum number of failed attempts. If an account has too many failed logins, an error message will appear. The customer can then send an unlock link via email to the account’s address. The email template is called ‘Customer Account Unlock Notification’. Admin Login: To enable this feature, go to `System > Configuration > Admin > Security`. The switch is called ‘Enable brute force protection’. The number of failed logins defaults to 10 and can be configured in the field ‘Maximum number of failed attempts’. If an account has too many failed logins, an error message will appear. The administrator can then send an unlock link via email to the account’s address. The email template is called ‘Admin Account Unlock Notification’. API: To enable this feature, go to `System > Configuration > Magento Core API > General Settings`. The switch is called ‘Enable brute force protection’.	Download	Download
Sep 8 2021	60	Some of our customers are using netz98’s magerun tool to maintain their stores. With this patch we add additional compatibility for our last patch #59 features with magerun by adding a reload() Method to the Mage_Customer_Model_Customer.	Download	Download
Sep 8 2021	61	(HIGH) An administrator with privileges to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. The fix applies to the Zend_Db::factory().	Download	Download
Nov 4 2021	62	Improves deserialization performance for PHP 5.6. Please Note: We do not recommend to use anything older than PHP7.3. There’s no support available for older PHP Versions!	Download	Download
Nov 4 2021	63	Fixes an issue with brute force protection (patch #59) and requesting reset password link.	Download	Download
Nov 4 2021	64	(CRITICAL) An administrator with the right to create or edit CMS pages was able to upload and execute arbitrary code using the wysiwyg editor.	Download	Download
Jan 20 2022	65	(CRITICAL) Improves security checks for patch #64 and adds compatibility with symlinked media directories.	Download	Download
Jan 20 2022	66	Improves compatibility for third party code and patch #61.	Download	Download
Jan 20 2022	67	(CRITICAL) Improves compatibility for import file uploads to ./var directory and patch #64.	Download	Download
May 12 2022	68	(CRITICAL) Fixes to prevent RCE attacks via Varien_Convert_Adapter_Zend_Cache and Mage_Dataflow_Model_Convert_Adapter_Zend_Cache. These classes were not used in Magento core code, thus we decided to remove them completely. We did not see any valid use case to change cache entries via import/export. Attention: If you use any of theses classes in your customization, please be aware that you have to change your custom code in order to stay compatible.	Download	Download
May 12 2022	69	(HIGH) This patch prevents sending passwords in emails in plain text. Passwords in emails will all be replaced with asterisks. One exception: If an administrator sets a new customer password via the admin panel, in this case you’ll now see a note on the input field that this password is sent in plain text. You now have a button to force sending a ‘Forgot Password’ email via the admin panel.	Download	Download
May 12 2022	70	This patch fixes a JavaScript issue with Import/Export.	Download	Download
May 12 2022	71	Fixes a session handling issue for downloadable products, introduced in SUPEE-11314.	Download	Download
May 19 2022	72	This patch fixes a bug of patch #69 which stopped account confirmation emails to work. With patch #69 we introduced code to redact the customer password from the customer object. This patch fixes a bug that caused the customer account confirmation email to stop working.	Download	Download
Jul 25 2022	73	This patch fixes an issue with the JS and CSS merge and sets the Content-Type on an educated guess basis.	Download	Download
Jul 25 2022	74	This patch disables the phar:// protocol to open and/or execute content of phar files (e. g. in the context of including templates). Many of the found vulnerabilities use phar:// files to exploit the system. Forbidding the opening of phar files and preventing the unserialization on them hardens Magento.	Download	Download
Jul 25 2022	75	This patch improves handling of admin passwords and makes sure to implement PCI security measures. You can now configure admin password strength settings in System > Configuration > Admin > Security > Admin Password Strength. You can set it to any of these values: Default Password must contain at least 7 characters. Password must contain at least one number and one letter. PCI All of the rules above. Change password every 90 days. No repetition of the last 4 passwords. If password is set by another admin, it is forced to be changed. All admin passwords are forced to be changed on activation. PCI Advanced All of the rules above. Password must contain special characters.	Download	Download
Jul 25 2022	76	(CRITICAL) This patch fixes an issue where an admin could use the password forgot feature to escalate their privileges. This patch contains the SQL Formatter which is licensed under the MIT License.	Download	Download
Jul 25 2022	77	This patch reduces deprecated messages with PHP 8.0/8.1.	Download	Download
Aug 10 2022	78	Patch (#75) introduced a new feature to harden administrator passwords with forced PCI compliance. Unfortunately this patch interfered with our previously introduced brute force protection (Patch #59). Patch #78 fixes compatibility of admin password PCI compliance (#75) with brute force protection (#59).	Download	Download
Oct 27 2022	79	This patch fixes a XSS vulnerability in Mage_Dataflow_Model_Convert_Adapter_Http::save() which allows the display of content via $this->getData() on the page using echo().	Download	Download
Oct 27 2022	80	This patch replaces rand() with mt_rand() since PHP 7.1 mt_rand() has superseded rand() completely, and rand() was made an alias for mt_rand().	Download	Download
Oct 27 2022	81	This patch improves Patch #78: If a user lacks permission to change his password, he is informed about it. This patch fixes the current redirect loop.	Download	Download
Oct 27 2022	82	This patch improves Patch #76: Read-Query detection is extended by DESCRIBE, TABLES, VALUES, and PREPARE.	Download	Download
Oct 27 2022	83	This patch adds a message ID to outgoing emails, because especially Google hardened their spam filter for emails without message ID.	Download	Download
Oct 27 2022	84	This patch provides support for MySQL 8.	Download	Download
Mar 16 2023	85	This patch improves PHP8 compatibility for Zend_Registry.	Download	Download
Mar 16 2023	86	This patch improves PHP8 compatibility for report.php.	Download	Download
Jun 2 2023	87	This patch improves password security by checking if password equals email address for customers and if password equals username or email address for admin users.	Download	Download
Jun 2 2023	88	This patch improves PHP8 compatibility for the catalog product action attribute form.	Download	Download
Jun 2 2023	89	This patch improves PHP8 compatibility for Mage_Api_Model_Wsdl_Config_Element.	Download	Download
Jun 2 2023	90	This patch fixed an login loop issue caused by missing setOrigData(). This patch also hardens bruteforce password protection.	Download	Download
Jun 2 2023	91	This patch fixes an issue with rejected mails due to incompatible line endings. After upgrading to PHP8, we noticed that all emails were rejected by some mail systems. As of PHP8, the mail() function separates all parts of an email using CRLF instead of LF. However, the Zend_Mail_Transport_Sendmail wrapper class still uses LF as line separator. This resulted in mails being sent with mixed line endings.	Download	Download
Jun 2 2023	92	This patch prevents javascript execution in email template previews in admin panel.	Download	Download
Oct 30 2023	93	This patch improves compatibility with PHP 8 and MySQL. Enables ATTR_STRINGIFY_FETCHES in MYSQL-PDO to avoid integer string problems in json encode.	Download	Download
Oct 30 2023	94	This patch improves MySQL compatibility by adding data type support for unsigned integers.	Download	Download
Dec 20 2023	95	(HIGH) This patch improves protection against bruteforce attacks to view guest orders. New protect codes are much longer now. This patch adds a new configuration option to System > Configuration > Sales > General > Block short guest order protect codes to blocks access for guest orders with short protect codes. Ref: CVE-2023-41879	Download	Download
Dec 20 2023	96	This patch fixes a typo for patch #94 where we misspelled unsigned with unsinged.	Download	Download
Feb 15 2024	97	tinyMCE uses iFrame to show its content, which lead to an XSS vulnerability. By sandboxing the iFrame no XSS is possible anymore. Known Issue: Applying this patch might fail because there are versions of Magento in circulation that use \r\n line breaks instead of \n line breaks for certain files. Option 1 If you encounter errors when applying the patch, you can use the command line utility dos2unix to correct the line breaks. You can use the following command: ```find . -type f -print0	xargs -0 dos2unix`</div> <div>Option 2 If you cannot install or use dos2unix, you can also use sed on the command line to correct the line breaks:`find . -type f -name *.php -print -exec sed -i ’’ ’s/\r//’ {} ;```	Download
Feb 15 2024	98	Forgot Password feature now uses formkey protection to prevent CSRF attacks.	Download	Download
Feb 15 2024	99	This patch improves compatibility for PHP8. In the reports section, total for each column will be calculated with additions. It also covers the name column, which does not contain numbers. The patch will make sure that all value are converted to numbers first. Warning! If e.g. product names start with a number, this will lead to wrong column totals!	Download	Download
Feb 15 2024	100	This patch improves include file handling in environments with multiple symlinked directories.	Download	Download
Jul 30 2024	101	This patch updates phpseclib to version 2.0.47, fixes DoS (denial of service) vulnerability.	Download	Download
Jul 30 2024	102	(HIGH) This patch fixes XSS vulnerability in admin panel when uploading files.	Download	Download
Jul 30 2024	103	This patch improves PHP 8 compatibility for modules when methods such as call_user_func_array are used.	Download	Download
Jul 30 2024	104	This patch improves USPS compatibility.	Download	Download
Aug 29 2024	105	This patch adds in-app rate limiting for specific URLs. ⚠️ We do highly recommend to use fail2ban for larger shops as it is much faster and provides more configuration. This feature here is meant to protect smaller shops with less sophisticated hosting setups. We do protect the following URLs by default with a limit of 10 requests per 10 seconds: `/customer/account/login` `/sales/guest/form` Rate limits will be tracked in the table `mageone_ratelimit_log`. A cron job at 1.30 am will remove outdated entries. Further URLs can be added by custom modules. Use your `config.xm`l file to add new entries to the `global` section like so: `<mageone_ratelimit>` `<custom_identifier>` `<route>/path/of/url</route>` `<enabled>true</enabled>` `<max_queries_in_time_window>10</max_queries_in_time_window>` `<time_window_in_seconds>10</time_window_in_seconds>` `</custom_identifier>` `</mageone_ratelimit>`	Download	Download
Aug 29 2024	106	(HIGH) This patch fixes a file content extraction vulnerability in dataflow.	Download	Download
Aug 29 2024	107	(HIGH) This patch fixes a stored XSS vulnerability in dataflow.	Download	Download
Aug 29 2024	108	This patch updates UPS integration to work with OAuth2.0. ⚠️ Please note that we were unable to get access to the official UPS Test API. This patch therefore is given without warranty. Please make sure to test it thoroughly in your own setup!	Download	Download
Aug 29 2024	109	This patch fixes a missing translation helper for Patch #105.	Download	Download
Aug 29 2024	110	This patch fixes dataflow realpath problems concerning Patch #107.	Download	Download
Aug 29 2024	111	This patch improves PHP5.6 compatibility for UPS carrier update from Patch #108.	Download	Download
Dec 23 2024	112	This patch fixes the wrong rate limit model instantiation from patch #105.	Download	Download
Dec 23 2024	113	(HIGH) This patch fixes a stored XSS in admin system configs CVE-2024-41676.	Download	Download
Dec 23 2024	114	This patch improves compatibility with PHP 8 and only closes files that have been opened before.	Download	Download
Dec 23 2024	115	This patch fixes the wrong rate limit column name in the cleanup cron in patch #105.	Download	Download
Feb 12 2025	116	(CRITICAL) This patch fixes an RCE (remote code execution) vulnerability, which allowed a low privileged admin panel user to upload a PHP file and gain full access to database and backend via custom product options file upload.	Download	Download
May 21 2025	117	(HIGH) This patch fixes a Cross-Site-Scripting vulnerability in theme configuration fields. This patch will escape HTML content in the ‘Welcome’ message field. HTML from this field must be removed.	Download	Download
Jan 15 2026	118	(HIGH) This patch fixes a XSS vulnerability in Magento’s URL processing system. Usage of getBaseUrl() is now protected by solid validation and encoding. Ref: CVE-2025-27400	Download	Download

Severity Categories

(CRITICAL)

Critical severity issues allow an attacker to read or write arbitrary resources (including but not limited to the file system, registry, network, etc.) on the underlying platform, with the user’s full privileges.

Glossary

Mon, 01 Jan 0001 00:00:00 +0000

Platform & products

Webscale One

Definition. Webscale’s managed hosting platform for eCommerce. It’s the umbrella offering that bundles infrastructure, the Webscale proxy, CDN, and security services into a single managed environment. Customers migrating onto the platform are migrating onto Webscale One.

Aliases. None canonical. Avoid “the Webscale platform” in customer-facing materials when you specifically mean Webscale One.

Example. “After your Webscale One environment is provisioned, the migration team will request your domain list and current host paths.”

Pagespeed Options

Mon, 01 Jan 0001 00:00:00 +0000

By default, Webscale enables the following filters with the default settings as specified by Add_head .

This filter exists primarily to ensure that other filters have a place to insert new tags in the head, or that trigger on the closing-tag of the head to perform some other action.

Pagespeed Options List

Option	Description
`canonicalize_javascript_libraries`	Identifies popular JavaScript libraries and replaces them with ones hosted for free by a JavaScript library hosting service (Google Hosted Libraries by default), which has several benefits, including: Most importantly, first-time site visitors can benefit from browser caching, since they may have visited other sites making use of the same service to obtain the libraries. The JavaScript hosting service acts as a content delivery network for the hosted files, reducing load on the server, and improving browser load times. There are no charges for the resulting use of bandwidth by site visitors. Third-party minification tools generally optimize the hosted versions of library code. These optimizations can make use of library-specific annotations or minification settings that aren’t portable to arbitrary JavaScript code, so the libraries benefit from more aggressive optimization than can be provided by PageSpeed.
`combine_css`	Seeks to reduce the number of HTTP requests made by a browser during page refresh by replacing multiple distinct CSS files with a single CSS file, containing the contents of all of them. Particularly important in old browsers that were limited to two connections per domain. In addition to reduced overhead for HTTP headers and communications warm-up, this approach works better with TCP/IP slow-start, increasing the effective payload bit-rate through the browser’s network connection.
`convert_meta_tags`	Adds a response header that matches each meta tag with an `http-equiv` attribute. For example, the HTML `<meta http-eqiv=”Content-Type” content=”text/html; charset=UTF-8″>` Adds this HTTP header in the response: `Content-Type: text/html; charset=UTF-8` The original tag is left unchanged. Certain `http-equiv` meta tags, specifically those that specify content-type, require a browser to reparse the HTML document if they do not match the headers. This avoids reparsing delays by ensuring that the headers match the meta tags.
`extend_cache`	Seeks to improve the cacheability of a web page’s resources without compromising the ability of site owners to change the resources and have those changes propagate to users’ browsers. The `extend_cache` filter rewrites the URL references in the HTML page to include a hash of the resource content (if `rewrite_css` is enabled, then image URLs in CSS are also rewritten). Thus if the site owners change the resource content, then the URL for the rewritten resource changes also. Since the old content in the user’s browser cache does not match the new name, the browser does not reference it again.
`flatten_css_imports`	Parses linked and inlined CSS and flattens it by replacing all `@import` rules with the contents of the imported file, repeating the process recursively for each imported file. Works on CSS found in `<style>` blocks and `<link>` references.
`inline_css`	Reduces the number of requests made by a web page by inserting the contents of small external CSS resources directly into the HTML document. Reduces the time it takes to display content to the user, especially in older browsers.
`inline_import_to_link`	Converts a `<style>` tag consisting of only @import statements into the corresponding `<link>` tags. This conversion does not itself result in any significant optimization; rather, its value lies in that it enables optimization of the linked-to CSS files by later filters, in particular the combine_css, rewrite_css, inline_css, and extend_cache filters.
`inline_javascript`	Reduces the number of requests made by a web page by inserting the contents of small external JavaScript resources directly into the HTML document.<br ?> Reduces the time it takes to display content to the user, especially in older browsers.
`insert_dns_prefetch`	Reduces DNS lookup time by providing hints to the browser at the beginning of the HTML, which allows the browser to pre-resolve DNS for resources on the page. DNS resolution time varies from <1ms for locally cached results to hundreds of milliseconds due to the cascading nature of DNS. This can contribute significantly towards total page load time.
`rewrite_css` and `fallback_rewrite_css_urls`	Parses linked and inline CSS, rewrites the images found and minifies the CSS. Wroks on CSS found in `<style>` blocks and `<link>` refs. Many images are referenced from CSS rather than HTML. If `rewrite_images`, `recompress_images`, `recompress_jpeg`, `recompress_png`, `recompress_webp`, `convert_gif_to_png`, `convert_jpeg_to_webp`, `convert_png_to_jpeg`, or `extend_cache` are enabled this filter finds and rewrites those images, saving bytes and extending cache lifetimes. The CSS parser cannot parse some CSS3 or proprietary CSS extensions. If `fallback_rewrite_css_urls` is not enabled, these CSS files are not rewritten at all. If the `fallback_rewrite_css_urls` filter is enabled, a fallback method attempts to rewrite the URLs in the CSS file, even if the CSS cannot be successfully parsed and minified. Minification can drastically reduce the byte count in standard CSS by stripping all comments and most whitespace and shortening color names. Use this filter to avoid the extra step of minifying CSS by hand when constructing and maintaining a site. This practice reduces the payload size.
`rewrite_javascript`	Minifies JavaScript code, using an algorithm similar to that in Douglas Crockford’s popular JSMin program . At present, the filter strips all comments and most whitespace and works only on JavaScript found in `<script>` blocks (either as the target of the src attribute or within the body of the block). Minification can drastically reduce the byte count in common JavaScript code. Use this filter to avoid the extra step of minifying JavaScript code by hand when constructing and maintaining a site. This practice reduces the payload size.
`rewrite_style_attributes_with_url`	Rewrites CSS inside elements’ style attribute. Requires `rewrite_css` to also be enabled. See the settings for `rewrite_css` to control CSS minification, image rewriting, image recompression, and cache extension. The `rewrite_style_attributes` filter enables the filter for all style attributes, whereas `rewrite_style_attributes_with_url` enables it only for style attributes that contain the text `url()`, for which you generally want to enable one or more image optimization filters. `rewrite_style_attributes_with_url` is more efficient because it does not always parse the CSS, but it does not optimize CSS that doesn’t reference any URLs. `rewrite_style_attributes` always parses the CSS and optimize everything possible. Since images are generally the source for most significant improvement and `url()` encloses them, `rewrite_style_attributes_with_url` is a good balance for most uses, while `rewrite_style_attributes` is available for more aggressive optimization.

The two options below specify groups of image optimizations that help to make sure images are high quality and load fast. Please refer to the Pagespeed site for details.

Webscale One - How Migrations Work

Mon, 01 Jan 0001 00:00:00 +0000

Preparation

After a new Webscale One environment is provisioned, an email is sent to the owner requesting information needed for the migration task:

Domain(s) to be migrated
Path to files on current host (e.g. /var/www or /home/username/www)
Control Panel URL
Control Panel Username
Control Panel Password
SSH URL
SSH Username
SSH Password

Depending on the current hosting, store owners may not have immediate access to all the needed information. The owner should consult with their original developers or the hosting provider asssistance.