Wednesday, April 12, 2017

High Risk 0-day Vulnerability Found in Magento eCommerce

During the security audit of Magento Community Edition, a highly popular e-commerce platform, a high risk vulnerability was discovered that could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information. The vulnerability is based around an arbitrary file upload combined with a cross-site request forgery (CSRF) vulnerability as a main attack vector.

Despite the efforts of our team in notifying the vendor on more than one occasion since November 2016, the vulnerability remains unpatched.

Full vulnerability details are published as an advisory.

Regards,
DefenseCode Team

1 comment: