Magento an e-commerce management platform, has released an update for a number of critical XSS vulnerabilities which includes patches for two critical issues.
The stored cross-site scripting (XSS) flaws allow the attackers to hijack Magento-based websites via administrator accounts. Which may result to the theft of sensitive customer data.
The first vulnerability affected almost every version of Magento from CE 1.9.2.3 and below to EE 1.14.2.3 and above. This vulnerability could be exploited remotely by attackers. For exploiting this bug one needs an an email containing malicious Javascript code which is sent through the CMS platform.
Magento doesn't check the content of the email properly and executes it in an admin content. After this the malicious code is able to steal an administrator session.
Cybersecurity firm Sucuri says:"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend. Unless you're behind a WAF or you have a very heavily modified administration panel, you're at risk."
The second bug was discovered within the comments sections of the Magento CMS.
As Magento does not filter the request properly, JavaScript code gets saved in the Magento database. When admin view the server-side, this code executes and leads to the session hijacking.
Other than these two critical vulnerabilities Magento also fixes problems including RSS-based information leaks, weaknesses to brute-force attacks, a lack of form protection on the Admin Login page, and many more.
To protect websites from exploitation, apply for the latest patch bundle SUPEE-7405 as soon as possible.
The stored cross-site scripting (XSS) flaws allow the attackers to hijack Magento-based websites via administrator accounts. Which may result to the theft of sensitive customer data.
The first vulnerability affected almost every version of Magento from CE 1.9.2.3 and below to EE 1.14.2.3 and above. This vulnerability could be exploited remotely by attackers. For exploiting this bug one needs an an email containing malicious Javascript code which is sent through the CMS platform.
Magento doesn't check the content of the email properly and executes it in an admin content. After this the malicious code is able to steal an administrator session.
Cybersecurity firm Sucuri says:"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend. Unless you're behind a WAF or you have a very heavily modified administration panel, you're at risk."
The second bug was discovered within the comments sections of the Magento CMS.
As Magento does not filter the request properly, JavaScript code gets saved in the Magento database. When admin view the server-side, this code executes and leads to the session hijacking.
Other than these two critical vulnerabilities Magento also fixes problems including RSS-based information leaks, weaknesses to brute-force attacks, a lack of form protection on the Admin Login page, and many more.
To protect websites from exploitation, apply for the latest patch bundle SUPEE-7405 as soon as possible.