There is a major exploit in Magento that is affected nearly all versions of the popular ecommerce platform. The exploit allows a hacker to take control of both admin and the server.
Securi was the first to discover the exploit back in early November, but it took until January 22, 2016 for Magento to release the patch after some very lengthy delays on Magento’s end, according to the timeline Securi published. It is unknown if this exploit was used prior to the disclosure, but now that it is publicized, Magento users should update their platform immediately.
This vulnerability affects almost every install of Magento CE <18.104.22.168 and Magento EE <22.214.171.124. The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend. Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk.
As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client informations, anything a legitimate administrator account is allowed to do.
Magento released it’s own information about the exploit here, in its patch notes.
If you use Magento, you should update immediately, or if updating immediately isn’t an option, take steps such as using a Firewall to prevent a hacker from exploiting your site in this manner.
Latest posts by Jennifer Slegg (see all)
- Google Quality Rater Guidelines Update: New Introduction, Rater Bias & Political Affiliations - December 6, 2019
- Google Updates Quality Rater Guidelines: Reputation for News Sites; Video Content Updates; Quality for Information Sites - September 13, 2019
- Google Makes Major Changes to NoFollow, Adds Sponsored & UGC Tags - September 10, 2019
- Google Updates Quality Rater Guidelines Targeting E-A-T, Page Quality & Interstitials - May 17, 2019
- Google Local Service Ads Display Pricing Estimates for Specific Locations - August 31, 2018