Home>Blog>The Hacker News Headlines>Critical Magento SQL Injection Vulnerability Discovered – Patch Your Sites
The Hacker News Headlines

Critical Magento SQL Injection Vulnerability Discovered – Patch Your Sites

Magento website security vulnerability

If your online e-commerce business is running over the Magento
platform, you must pay attention to this information.

Magento yesterday released[1] new versions of its
content management software to address a total of 37
newly-discovered security vulnerabilities.

Owned by Adobe since mid-2018, Magento is one of the most
popular content management system (CMS) platform that powers 28% of
websites across the Internet with more than 250,000 merchants using
the open source e-commerce platform.

Though most of the reported issues could only be exploited by
authenticated users, one of the most severe flaws in Magento is an
SQL Injection vulnerability which can be exploited by
unauthenticated, remote attackers.

The flaw, which does not have a CVE ID but internally labeled
“PRODSECBUG-2198,” could allow remote hackers to steal sensitive
information from the databases of vulnerable e-commerce websites,
including admin sessions or password hashes that could grant
hackers access to the admin’s dashboard.

Affected Magento versions include:

  • Magento Open Source prior to 1.9.4.1
  • Magento Commerce prior to 1.14.4.1
  • Magento Commerce 2.1 prior to 2.1.17
  • Magento Commerce 2.2 prior to 2.2.8
  • Magento Commerce 2.3 prior to 2.3.1

Since Magento sites not only store users’ information but also
contain order history and financial information of their customers,
the flaw could lead to catastrophic online attacks.
Given the sensitive nature of the data Magento e-commerce websites
handle on a daily basis as well as the risk the SQL vulnerability
represents, Magento developers have decided not to release
technical details of the flaw.

Besides the SQLi vulnerability, Magento has also patched
cross-site request forgery (CSRF), cross-site scripting (XSS),
remote code execution (RCE) and other flaws, but exploitation of
the majority of those flaws require attackers to be authenticated
on the site with some level of privileges.

Online store owners are urged to upgrade their e-commerce
websites to the recently patched versions as soon as possible
before hackers started exploiting the flaw to compromise your
websites and steal payment card details of your customers.

References

  1. ^
    released
    (magento.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.