Wednesday, April 12, 2017

High Risk 0-day Vulnerability Found in Magento eCommerce

During the security audit of Magento Community Edition, a highly popular e-commerce platform, a high risk vulnerability was discovered that could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information. The vulnerability is based around an arbitrary file upload combined with a cross-site request forgery (CSRF) vulnerability as a main attack vector.

Despite the efforts of our team in notifying the vendor on more than one occasion since November 2016, the vulnerability remains unpatched.

Full vulnerability details are published as an advisory.

Regards,
DefenseCode Team

16 comments:

  1. Thanks for publishing such useful information. slope

    ReplyDelete
  2. Yes, thanks, I've already read an article on another resource about this problem, and how to fix it. On my website, I also found this vulnerability when I installed the theme on the magento template https://www.templatemonster.com/ru/magento-themes-type/. I had to look for ways to eliminate the problem, found by chance on one resource dedicated to programming, which details how to eliminate the vulnerability

    ReplyDelete
  3. Other products, such as apparel, do benefit by physical touch. And even though apparel is sold online, the lack of physical touch contributes to instances of shopping online but buying instore.Coenzyme Q10 Powder

    ReplyDelete
  4. Its a pity you dont have a donate button, i would donate some =) have a peek here

    ReplyDelete
  5. Very educating story, saved your site for hopes to read moreFashion Shopping in USA

    ReplyDelete
  6. I like the valuable info you provide to your articles. I like the valuable info you provide to your articles. Thanks!
    Enjoy with Friv click here for games

    ReplyDelete
  7. I needed to thank you for this incredible read!! I unquestionably adored each and every piece of it. I have you bookmarked your site to look at the new stuff you post. Magento extensions by Mageworx

    ReplyDelete
  8. The goal of this document is to highlight the need for end-to-end solutions that seamlessly integrate.kūdikių prekės

    ReplyDelete
  9. Really cool post, highly informative and professionally written and I am glad to be a visitor of this perfect blog, thank you for this rare info!
    Magento course in chennai

    ReplyDelete
  10. The popular mobile platforms make people use artificial intelligence on a daily basis. A large number of people nowadays perform common tasks by talking to their machines through Google's Assistant, Apple's Siri, or Microsoft's Cortana. How to dropship

    ReplyDelete
  11. Marvelous and fascinating article. Incredible things you've generally imparted to us. Much obliged. Simply keep making this kind out of the post.
    custom magento development

    ReplyDelete