Magento update fixes critical XSS flaws

If you are using the e-commerce CMS to run your website, update now. [Updated]

[Updated: Clarifications to vulnerability exploit]

Magento has released new security patches designed to plug a number of critical XSS vulnerabilities.


In an update last week, the content management system released a bundle of new security updates which included patches for two critical issues.

The stored cross-site scripting (XSS) flaws are dangerous as they allow attackers to hijack Magento-based websites, escalate user privileges, steal client data and control the website via administrator accounts.

As Magento is an e-commerce management platform, this may also include the theft of sensitive customer data which can lead to issues including identity theft.

The first vulnerability, affecting almost every install of Magento CE and below, as well as Magento EE and prior versions, is a vulnerability which can be exploited remotely by attackers.

An email address that is part of the customer account can be abused to include malicious code. The code is then executed in admin context when viewing order information in the Magento backend, possibly leading to account takeover.

Cybersecurity firm Sucuri says:

"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend. Unless you're behind a WAF or you have a very heavily modified administration panel, you're at risk."

The second bug, also deemed critical, was discovered within the comments sections of the Magento CMS. According to the e-commerce platform, a "specifically crafted request" which relies upon the PayFlow Pro payment module can be appended to an order.

As Magento -- once again -- does not filter the request properly, JavaScript code then may end up being saved in the Magento database. If viewed server-side when an admin looks up an order, this code can then execute and also lead to session hijacking.

In the latest security update, Magento also fixes problems including RSS-based information leaks, weaknesses to brute-force attacks, a lack of form protection on the Admin Login page which enabled request forgery attacks and a denial of service issue in email delivery, among others.

In order to protect websites from exploitation, webmasters should apply the latest patch bundle SUPEE-7405 as soon as possible. The latest fix solves the problem for versions of Magento 1.14.1 and 1.9.1 and earlier, while problems impacting versions and have already been resolved.

In September last year, researchers discovered a phishing campaign which targeted and managed to infect thousands of Wordpress websites with the Nuclear Exploit kit.

Read on: Top picks

Show Comments