Magento Flaw Puts Millions Of Ecommerce Sites At Risk

Ecommerce sites around the world could be at risk of damaging cyber-attacks following the discovery of several vulnerabilities in a popular back-end system.

Magento, a content management system popular with online retail sites, released a large number of patches that it says will help fix a variety of potentially damaging flaws in both versions of its software.

The company, which is owned by eBay and says it has over 200,000 customers around the world, including many of the most popular online retail sites, is now urging users to download the twenty patches in order to ensure their sites do not fall victim to an attack.

Vulnerable

Among the most serious vulnerabilities, first revealed by security vendor Sucuri, is a stored cross-site scripting (XSS) vulnerability which could be triggered simply by sending an email to administrators.

This issue, which affects Magento Community Edition version 1.9.2.3 and earlier, and the Enterprise Edition version 1.14.2.3 and older, is rated as critical as the rogue code can hijack an administrator’s authenticated session or can instruct his browser to perform a rogue action on the website, such as adding another administrator account with attacker-supplied credentials.

Sucuri says that it first reported the bug to Magento’s security team early in November last year, although Magento only acknowledged the vulnerability on December 1, and then did not issue a patch until last weekend.

“This vulnerability affects almost every install of Magento CE <1.9.2.3 and Magento EE <1.14.2.3,” the company said in a blog. “The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend. Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk.”

XSS attacks can be hugely damaging, leading to targeted attacks against users which could lead to data being stolen.

Last April, Finnish researchers warned that WordPress, another leading CMS platform, was vulnerable to XSS attacks due to an unpatched vulnerability that could allow malicious code to be injected into website comments in order to steal user data.

Are you a security pro? Try our quiz!

Mike Moore

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

22 hours ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

22 hours ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

23 hours ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

23 hours ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

24 hours ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

1 day ago