Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Magento fixed a critical Magento SQL Injection flaw

There is an important news for administrators of e-commerce websites running over the Magento platform, Magento fixed a critical SQL injection flaw. Administrators of Magento e-commerce websites have to update their installations due to the presence of a critical SQL injection vulnerability in the popular CMS. The flaw could have a significant impact considering that […]

Magento 1

There is an important news for administrators of e-commerce websites running over the Magento platform, Magento fixed a critical SQL injection flaw.

Administrators of Magento e-commerce websites have to update their installations due to the presence of a critical SQL injection vulnerability in the popular CMS.

The flaw could have a significant impact considering that roughly 28% of websites on the Internet are based on the popular open source e-commerce platform.

This week Magento released new versions of to address a total of 37 security vulnerabilities.

The company addressed Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other issues, most of them could only be exploited by authenticated users. Experts pointed out that the most severe flaw addressed in this round is an SQL Injection vulnerability, that can be exploited by unauthenticated, remote attackers.

The vulnerability, internally tracked as “PRODSECBUG-2198,” could be exploited by remote attackers to steal sensitive information from the databases of vulnerable e-commerce sites. The flaw could be exploited to steal admin sessions or password hashes that could allow attackers to access to the admin’s dashboard.

“Magento Commerce and Open Source 2.3.1, 2.2.8 and 2.1.17 contain multiple security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.” reads the security advisory published by Magento.

“An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.”

Magento

The versions of the CMS affected by the flaw include:

  • Magento Open Source prior to 1.9.4.1
  • Magento Commerce prior to 1.14.4.1
  • Magento Commerce 2.1 prior to 2.1.17
  • Magento Commerce 2.2 prior to 2.2.8
  • Magento Commerce 2.3 prior to 2.3.1

Administrators of e-commerce websites running on vulnerable versions of the CMS have to install the latest version as soon as possible.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CMS, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]