The developers of the popular e-commerce platform Magento released a security update last week to patch more than 20 vulnerabilities, including ones that could allow malicious hackers to hijack affected websites.
One of the critical flaws resolved with the release of the SUPEE-7405 patch bundle is a stored cross-site scripting (XSS) vulnerability reported in November by researchers at security firm Sucuri.
A malicious actor could exploit this vulnerability to gain administrator access to the targeted store and perform any actions that are normally limited to admins. According to Sucuri, the bug is similar to one identified by the company last year in the Jetpack plugin for WordPress.
Magento developers said this critical vulnerability can be exploited to take over admin sessions and perform actions on the administrator’s behalf.
O'Callaghan has also identified a high severity information leakage bug that allows an attacker to access the details of some orders placed via a vulnerable store.
A different high severity information disclosure bug was found in Magento’s RSS feed by Egidio Romano, who determined that an attacker could download order-related information by using special parameters in the RSS feed request.
The last high severity vulnerability addressed with the SUPEE-7405 patch is a cross-site request forgery (CSRF) in the administrator login page. An attacker can exploit this flaw by tricking an administrator into clicking on a specially crafted link.
The list of medium and low severity flaws includes insufficient protection, formula injection, CSRF, XSS, denial-of-service (DoS), and brute force issues.
The patched vulnerabilities affect Magento CE prior to 188.8.131.52 and Magento EE prior to 184.108.40.206, and in some cases Magento 2 CE and EE prior to 2.0.1.
It’s important that online store administrators patch their installations as soon as possible because it’s not uncommon for malicious actors to target Magento websites. In some cases, cybercrooks started exploiting Magento flaws in an effort to hijack websites within 24 hours after disclosure.
In October, security firms reported that thousands of Magento websites had been abused to deliver malware via the Neutrino exploit kit.