Security risks are severe, but account privileges required
Magento has released a brace of critical security updates addressing bugs that could allow attackers to play havoc with payment sites.
Users of the e-commerce platform are being urged to update their Magento builds to protect against SQL injection, cross-site scripting (XSS), and other bugs that could lead to complete account takeover.
A total of 130 vulnerabilities, including a whopping 14 RCE bugs, were patched in Magento Commerce and Magento Open Source versions 2.3.2, 2.2.9, or 2.1.18.
Three flaws were assigned a ‘critical’ CVSS severity rating of 9.1.
One vulnerability, CVE-2019-7895, could allow an attacker to execute arbitrary code through a crafted XML layout update.
Another, CVE-2019-7139, relates to an SQL injection flaw that could allow arbitrary read access to a web app’s underlying database.
Denial-of-service, information leakage, and cross-site request forgery vulnerabilities were also addressed in the latest security releases.
A security advisory from Adobe-owned Magento includes more information.
Authenticated users
It should be noted that many of these vulnerabilities can only be exploited by authenticated users, and almost all require administrative privileges.
While it isn’t clear whether any of the other bugs could be chained to gain admin privileges, an insecure credential storage vulnerability, CVE-2019-7858, can allow an attacker to gain access to user passwords via a brute-force attack.
The Daily Swig has reached out to Magento to confirm whether this could be exploited to access admin accounts.
Many of the vulnerabilities were disclosed through Magento’s bug bounty program.
The patches were released amid ongoing concerns surrounding Magecart – a card-skimming technique being employed against vulnerable Magento sites by various criminal gangs.
An evolution of the now 18-year-old Cart32 shopping cart software backdoor, Magecart takes the form of malicious JavaScript injected onto a site’s payment page.
Once installed, the script collects all form data entered by a user – including their name, cards details, and CVV number – and uploads it to a remote server under the attacker’s control.
The Magecart technique has targeted a number of well-known organizations in recent months, including British Airways, Sotheby’s Home, Vision Express, and Ticketmaster.