Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Magento Flaws Expose Sites to Takeover

The developers of the popular e-commerce platform Magento released a security update last week to patch more than 20 vulnerabilities, including ones that could allow malicious hackers to hijack affected websites.

The developers of the popular e-commerce platform Magento released a security update last week to patch more than 20 vulnerabilities, including ones that could allow malicious hackers to hijack affected websites.

One of the critical flaws resolved with the release of the SUPEE-7405 patch bundle is a stored cross-site scripting (XSS) vulnerability reported in November by researchers at security firm Sucuri.

The weakness is caused by the fact that the email address provided by users when they register on a Magento-powered online store is not properly validated. This allows an attacker to provide an email address containing JavaScript code, which gets executed when the targeted site’s administrator views the order in the backend.

A malicious actor could exploit this vulnerability to gain administrator access to the targeted store and perform any actions that are normally limited to admins. According to Sucuri, the bug is similar to one identified by the company last year in the Jetpack plugin for WordPress.

A similar stored XSS flaw was discovered by Erik Wohllebe. The expert determined that an attacker can add malicious JavaScript code to a comment via the PayFlow Pro payment module. The JavaScript code is executed server-side when the targeted site’s administrator views the attacker’s order.

Magento developers said this critical vulnerability can be exploited to take over admin sessions and perform actions on the administrator’s behalf.

Peter O’Callaghan discovered a stored XSS flaw that Magento has classified as “high severity.” This flaw allows malicious hackers to take over a website by injecting JavaScript code into Order View forms in the administrator panel using the HTTP_X_FORWARDED_FOR header. This is considered a less serious vulnerability because it only affects configurations that use the problematic header setting, which is not recommended by Magento.

O’Callaghan has also identified a high severity information leakage bug that allows an attacker to access the details of some orders placed via a vulnerable store.

Advertisement. Scroll to continue reading.

A different high severity information disclosure bug was found in Magento’s RSS feed by Egidio Romano, who determined that an attacker could download order-related information by using special parameters in the RSS feed request.

The last high severity vulnerability addressed with the SUPEE-7405 patch is a cross-site request forgery (CSRF) in the administrator login page. An attacker can exploit this flaw by tricking an administrator into clicking on a specially crafted link.

The list of medium and low severity flaws includes insufficient protection, formula injection, CSRF, XSS, denial-of-service (DoS), and brute force issues.

The patched vulnerabilities affect Magento CE prior to 1.9.2.3 and Magento EE prior to 1.14.2.3, and in some cases Magento 2 CE and EE prior to 2.0.1.

It’s important that online store administrators patch their installations as soon as possible because it’s not uncommon for malicious actors to target Magento websites. In some cases, cybercrooks started exploiting Magento flaws in an effort to hijack websites within 24 hours after disclosure.

In October, security firms reported that thousands of Magento websites had been abused to deliver malware via the Neutrino exploit kit.

Related: Zero-Day Flaw in Magento Tool Exploited in the Wild

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.