E-commerce Platform May Fall Prey To Hackers: Critical Bug in Magento

E-commerce Platform May Fall Prey To Hackers: Critical Bug in Magento

E-commerce Platform May Fall Prey To Hackers: Critical Bug in Magento

E-commerce Platform May Fall Prey To Hackers: Critical Bug in Magento - 5.0 out of 5 based on 2 reviews

Thousands of e-commerce companies, using Magento, are at risk as critical bug found in Magento. If you are using Magento to run your websites, patch it as soon as possible to protect your websites from massive attacks.

 

Magento

 

Stored XSS Flaw in Magento: It is found that the stored cross–site scripting (XSS) vulnerability exists in all versions of Magento community edition 1.9.2.2 and earlier including enterprise edition 1.14.2.2 and earlier. There is a plethora of consequences of the stored cross–site scripting (XSS) flaws. An attacker can take over your website via administrator account, steal the credit card information and customers’ data and control the Magento based online store through this flaw.

How It is Exploitable: An attacker can embed the malicious Javascript code inside customer registration forms. Then Magento runs and executes the Javascript code in context of the administrator account that makes possible for an attacker to steal administrator session and have the control on entire server running the e-commerce platform.

According to Sucuri Advisory, "This vulnerability affects almost every install of Magento CE <1.9.2.3 and Magento EE <1.14.2.3. The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend. Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk." "As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do."

However, this vulnerability is patched and fixed. So, the awareness of latest bug and fixing it soon, is always considered as an active security action. The regular vulnerability test is required to have your websites secured.

Read 742 times Last modified on Wednesday, 03 February 2016 11:12
Login to post comments