[Updated: Clarifications to vulnerability exploit]
Magento has released new security patches designed to plug a number of critical XSS vulnerabilities.
In an update last week, the content management system released a bundle of new security updates which included patches for two critical issues.
The stored cross-site scripting (XSS) flaws are dangerous as they allow attackers to hijack Magento-based websites, escalate user privileges, steal client data and control the website via administrator accounts.
As Magento is an e-commerce management platform, this may also include the theft of sensitive customer data which can lead to issues including identity theft.
The first vulnerability, affecting almost every install of Magento CE 18.104.22.168 and below, as well as Magento EE 22.214.171.124 and prior versions, is a vulnerability which can be exploited remotely by attackers.
An email address that is part of the customer account can be abused to include malicious code. The code is then executed in admin context when viewing order information in the Magento backend, possibly leading to account takeover.
Cybersecurity firm Sucuri says:
"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend. Unless you're behind a WAF or you have a very heavily modified administration panel, you're at risk."
The second bug, also deemed critical, was discovered within the comments sections of the Magento CMS. According to the e-commerce platform, a "specifically crafted request" which relies upon the PayFlow Pro payment module can be appended to an order.
In the latest security update, Magento also fixes problems including RSS-based information leaks, weaknesses to brute-force attacks, a lack of form protection on the Admin Login page which enabled request forgery attacks and a denial of service issue in email delivery, among others.
In order to protect websites from exploitation, webmasters should apply the latest patch bundle SUPEE-7405 as soon as possible. The latest fix solves the problem for versions of Magento 1.14.1 and 1.9.1 and earlier, while problems impacting versions 126.96.36.199 and 188.8.131.52 have already been resolved.
Read on: Top picks