DefenseCode has published proof of concept code for two CSRF and stored XSS vulnerabilities affecting a number of versions of the popular e-commerce platform Magento.
Magento is an open source platform that provides merchants with control over their online stores and a shopping cart system, as well as tools to improve the visibility and management of the shop.
About the vulnerabilities
Security researcher Bosko Stankovic discovered the security flaws during a security audit of Magento Open Source (formerly Community Edition, or ED) and Magento Commerce, the company’s platform as a service offering. He reported them to the vendor’s security team, and they’ve since been fixed, along with a dozen of other vulnerabilities.
At the time no known attacks exploiting these bugs were known, but with the release of PoC code attackers might try to develop exploits and launch them. So, if you’re running one of the 200,000+ Magento stores and you haven’t yet updated your installation, now is the time to do it.
Exploitation of the two vulnerabilities could result in administrator account takeover, and ultimately lead to customer payment information theft.
“To execute the CSRF attack, the victim needs only to click on a link, although some variants of the attack can be accomplished by the victim opening an email (via img src= tags),” Stankovic explained to Help Net Security.
“The complete attacks described in the advisories (1,2) combine CSRF, stored Cross-Site Scripting and redirection, and require the victim to open the attacker’s page hosting malicious code. Another prerequisite for them is that the “Add Secret Keys to URLs” option is disabled (which, in most cases, it is).”
Affected Magento versions and available fixes
The vulnerabilities affect:
- Magento CE 1 prior to 220.127.116.11
- Magento Commerce prior to 18.104.22.168
- Magento 2.0 prior to 2.0.16
- Magento 2.1. prior to 2.1.9
Secure versions of the packages were released on September 14, so pick them up and implement them as soon as possible.
In February 2022, WhiteSource acquired DefenseCode.