Magento has released new security patches designed to plug a number of critical XSS vulnerabilities.
In an update last week, the content management system released a bundle of new security updates which included patches for two critical issues.
The stored cross-site scripting (XSS) flaws are dangerous as they allow attackers to hijack Magento-based websites, escalate user privileges, steal client data and control the website via administrator accounts.
As Magento is an e-commerce management platform, this may also include the theft of sensitive customer data which can lead to issues including identity theft.
Magento does not properly validate this email and executes it in an admin content when an order is viewed in Magento. The malicious code embedded within the email then is able to steal an administrator session.
Cybersecurity firm Sucuri says:
“The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend. Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk.”
The second bug, also deemed critical, was discovered within the comments sections of the Magento CMS. According to the e-commerce platform, a “specifically crafted request” which relies upon the PayFlow Pro payment module can be appended to an order.
In the latest security update, Magento also fixes problems including RSS-based information leaks, weaknesses to brute-force attacks, a lack of form protection on the Admin Login page which enabled request forgery attacks and a denial of service issue in email delivery, among others.
In order to protect websites from exploitation, webmasters should apply the latest patch bundle SUPEE-7405 as soon as possible.
Read on: Top picks