Millions of online merchants are at risk of hijacking attacks due to a number of critical cross-site scripting (XSS) vulnerabilities in the Magento, the most popular e-commerce platform owned by eBay.
Why the Bugs are So Serious?
Virtually all versions of Magento Community Edition 18.104.22.168 and earlier as well as Enterprise Edition 22.214.171.124 and earlier, are vulnerable to the Stored Cross-Site Scripting (XSS) flaws.
The stored XSS flaws are awful as they allow attackers to:
- Effectively take over a Magento-based online store
- Escalate user privileges
- Siphon customers’ data
- Steal credit card information
- Control the website via administrator accounts
However, the good news is that the vulnerabilities are patched, and an update has been made available to the public after security firm Sucuri discovered and privately reported the vulnerability to the company.
How Easy it is to Exploit the Flaw
Cybersecurity firm Sucuri describes the bug as the worst hole, saying:
"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend. Unless you are behind a WAF or you have a very heavily modified administration panel, you are at risk."
"As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do."
Patch your Software Now!
To prevent websites from exploitation, webmasters are recommended to apply the latest patch bundle SUPEE-7405 as soon as possible.
Since the latest patch resolves the issue for Magento version 1.14.1 and 1.9.1 and earlier, problems impacting Magento versions 126.96.36.199 and 188.8.131.52 have already been resolved.
With Alexa top one million e-commerce websites and over all ten Million websites using the internet's fourth most popular CMS, Magento has become a valuable target for attackers nowadays.
So, patch your websites now to stay safe!