Wednesday, April 12, 2017

High Risk 0-day Vulnerability Found in Magento eCommerce

During the security audit of Magento Community Edition, a highly popular e-commerce platform, a high risk vulnerability was discovered that could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information. The vulnerability is based around an arbitrary file upload combined with a cross-site request forgery (CSRF) vulnerability as a main attack vector.

Despite the efforts of our team in notifying the vendor on more than one occasion since November 2016, the vulnerability remains unpatched.

Full vulnerability details are published as an advisory.

Regards,
DefenseCode Team

20 comments:

  1. Thanks for publishing such useful information. slope

    ReplyDelete
  2. Yes, thanks, I've already read an article on another resource about this problem, and how to fix it. On my website, I also found this vulnerability when I installed the theme on the magento template https://www.templatemonster.com/ru/magento-themes-type/. I had to look for ways to eliminate the problem, found by chance on one resource dedicated to programming, which details how to eliminate the vulnerability

    ReplyDelete
  3. Other products, such as apparel, do benefit by physical touch. And even though apparel is sold online, the lack of physical touch contributes to instances of shopping online but buying instore.Coenzyme Q10 Powder

    ReplyDelete
  4. Its a pity you dont have a donate button, i would donate some =) have a peek here

    ReplyDelete
  5. Very educating story, saved your site for hopes to read moreFashion Shopping in USA

    ReplyDelete
  6. I like the valuable info you provide to your articles. I like the valuable info you provide to your articles. Thanks!
    Enjoy with Friv click here for games

    ReplyDelete
  7. I needed to thank you for this incredible read!! I unquestionably adored each and every piece of it. I have you bookmarked your site to look at the new stuff you post. Magento extensions by Mageworx

    ReplyDelete
  8. The goal of this document is to highlight the need for end-to-end solutions that seamlessly integrate.kūdikių prekės

    ReplyDelete
  9. Really cool post, highly informative and professionally written and I am glad to be a visitor of this perfect blog, thank you for this rare info!
    Magento course in chennai

    ReplyDelete
  10. The popular mobile platforms make people use artificial intelligence on a daily basis. A large number of people nowadays perform common tasks by talking to their machines through Google's Assistant, Apple's Siri, or Microsoft's Cortana. How to dropship

    ReplyDelete
  11. Marvelous and fascinating article. Incredible things you've generally imparted to us. Much obliged. Simply keep making this kind out of the post.
    custom magento development

    ReplyDelete
  12. Hi Thanks for the nice information its very useful to read your blog.
    Web Design Training

    ReplyDelete
  13. Selenium is one of the most popular automated testing tool used to automate various types of applications. Selenium is a package of several testing tools designed in a way for to support and encourage automation testing of functional aspects of web-based applications and a wide range of browsers and platforms and for the same reason, it is referred to as a Suite.

    Selenium Interview Questions and Answers
    Javascript Interview Questions
    Human Resource (HR) Interview Questions

    ReplyDelete
  14. This is an awesome post. Really very informative and creative contents. This concept is a good way to enhance knowledge. I like it and help me to development very well. Thank you for this brief explanation and very nice information. Well, got good knowledge.
    WordPress website development Chennai

    ReplyDelete