Wednesday, April 12, 2017

High Risk 0-day Vulnerability Found in Magento eCommerce

During the security audit of Magento Community Edition, a highly popular e-commerce platform, a high risk vulnerability was discovered that could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information. The vulnerability is based around an arbitrary file upload combined with a cross-site request forgery (CSRF) vulnerability as a main attack vector.

Despite the efforts of our team in notifying the vendor on more than one occasion since November 2016, the vulnerability remains unpatched.

Full vulnerability details are published as an advisory.

Regards,
DefenseCode Team

4 comments:

  1. Thanks for publishing such useful information. slope

    ReplyDelete
  2. Yes, thanks, I've already read an article on another resource about this problem, and how to fix it. On my website, I also found this vulnerability when I installed the theme on the magento template https://www.templatemonster.com/ru/magento-themes-type/. I had to look for ways to eliminate the problem, found by chance on one resource dedicated to programming, which details how to eliminate the vulnerability

    ReplyDelete
  3. Other products, such as apparel, do benefit by physical touch. And even though apparel is sold online, the lack of physical touch contributes to instances of shopping online but buying instore.Coenzyme Q10 Powder

    ReplyDelete